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(57) Abstract 

An electronic transaction system, which facili- 
tates secure electronic transactions among multiple par- 
ties including cardholders (20), merchants (70), and ser- 
vice providers (SP) (60). The system involves elec- 
tronic cards, commonly known as smart cards, and their 
equivalent computer software package. The card mim- 
ics a real wallet and contains commonly seen finan- 
cial or non-financial instruments such as a credit card, 
checkbook, or driver's license. A transaction is pro- 
tected by a hybrid key cryptographic system and is nor- 
mally carried out on a public network such as the In- 
ternet. Digital signatures and random numbers are used 
to ensure integrity and authenticity. The card utilizes 
secret keys such as session keys assigned by service 
providers (SPs) to ensure privacy for each transaction. 
The SP is solely responsible for validating each partici- 
pant's sensitive information and assigning session keys. 
The only trust relationship needed in a transaction is the 
one that exists between individual participants and the 
SP. 
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WO 99/57835 PCT/US99/09938 

1 A CRYPTOGRAPHIC SYSTEM AND METHOD 

FOR ELECTRONIC TRANSACTIONS 

FIELD OF THE INVENTION 
5 The present invention relates generally to a cryptographic system and method for secure 

electronic transactions, and more particularly to an electronic card, which takes the form of a 
"smart card" and/or its equivalent software. 

BACKGROUND OF THE INVENTION 

1 0 The generic term, "smart card," generally denotes an integrated circuit (IC) card, that is, 

a credit-card-size piece of plastic with an embedded microchip. The IC chip on a smart card 
generally, but not necessarily, consists of a microprocessor (the CPU), read-only memory 
(ROM), random access memory (RAM), an input/output unit, and some persistent memory such 
as electrically erasable programmable read-only memory (EEPROM). The chip can perform 

1 5 arithmetic computations, logic processing, data management, and data communication. 

Smart cards are mainly of two types: contact and contact-less. The International Standard 
Organization (ISO) has established specifications for such electronic cards under the ISO series. 
In particular, ISO 7816 applies to integrated circuit(s) cards. Because of its computing 
capability, a smart card can support a multitude of security features such as authentication, 

20 secured read/write, symmetric key and asymmetric key encryption/decryption. These smart card 
security features make it well suited for electronic commerce where data security and 
authenticity are of primary importance. 

Smart card use has found application in many specialized fields such as mass 
transportation, health insurance, parking, campus, gas, etc. And its potential use in electronic 

25 commerce and other financial areas are gaining popularity at a rapid pace. U.S. Pat. No. 
5,521,362, issued to Robert S. Power on May 28.1996, entitled "Electronic purse card having 
multiple storage memories to prevent fraudulent usage and method therefor," describes an 
electronic purse application. Powers invention demonstrates a smart card's capability to be used 
as a secure financial instrument and not just as a storage device. 

30 As advances in technology push smart-card chip computing to higher speeds and larger 

memory capacity, the concept of a "multi-application" smart card is increasingly becoming 
economically and physically feasible. U.S. Pat. No. 5,530,232 issued to Douglas C. Taylor on 
June 25, 1996, entitled "Multi-application data card," describes a multi-application card, which 
is capable of substituting for a plurality of existing single-application cards and satisfying both 

35 financial and non-financial requirements. The multi-application card uses a conventional data 
link to connect between the smart card and the remote service provider. Taylor's invention, the 
multi-application card, does not relate to any kind of open network or cryptographic method. 
U.S. Pat. No. 5,544,246 issued to Mandelhaum et al. on" on Aug. 5, 1 996, entitled "Smart 
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1 card adapted for a plurality of service providers and for remote installation of same," describes 

a smart card, which allows different service providers to coexist on the same smart card. Each 
service provider is considered a user of the smart card and is installed on the card by the 
issuer/owner of the smart card. Each user is allowed to build a tree-like file structure and protect 
5 it with a password file. Mandelbaum's invention depicts a smart card allows for the creation and 

deletion of multiple applications. Mandelbaunrs smart card controls the access to each 
application by using an appropriate password file. 

U.S. Pat. No. 5,671,279 issued to Taher Elgamal on September 23, 1997, entitled 
"Electronic commerce using a secure courier system/' describes a system for implementing 
1 0 electronic commerce over a public network using public/private key cryptography. The Elgamal 
patent did not mention the use of a smart card as a tool in conducting the electronic commerce 
and the participants were authenticated through the use of digital certificates. The secure courier 
system requires a secured channel such as a Secure Socket Layer (SSL) between the trading 
parties over an open network such as the Internet. 
15 i . U.S. Pat. No. 5,790,677, issued to Fox et al. on August 4, 1998, entitled "System 

and method for secure electronic commerce transactions/ 1 describes a system and method 
having a registration process followed by a transaction process. During the registration 
phase, each participant of a transaction registers with a trusted credential-binding server 
by sending to the server a registration packet. The server produces unique credentials 
20 based upon the request received and sends them to the request originator. During the 

transaction phase, the originator of the transaction requests, receives and verifies the 
credentials of all intended recipients of the commerce document and/or instrument and 
encrypts the document and/or instrument using the public key of the individual recipient. 
Thus, each receiving party can decrypt and access the information intended only for him. 
25 Fox's patent describes a process which reflects the theme of the so called "Secure 

Electronic Transaction" (SET) standard which is an ongoing effort supported by several 
major financial and software companies to establish a digital certificate and certificate 
authority based electronic commerce system. 

U.S. Pat. No. 5,796,840 issued to Derek L. Davis on August 1 8, 1998, entitled "Apparatus 
30 and method for providing secured communication/'describes a semiconductor device, which is 
capable of generating device-specific key pairs to be used in subsequent message authentication 
and data communication. The semiconductor device uses public/private key cryptography to 
ensure the authenticity of two communicating parties. 

U.S. Pat. No. 5,534,857 issued to Simon G. Laing and Matthew P. Bowcock on July 9, 
35 1 996, entitled "Method and System for Secure, Decentralized Personalization of Smart Cards," 
describes a method and apparatus for securely writing confidential data from an issuer to a 
customer smart card at a remote location. A mutual session key for enciphering data transfer 
between a secure terminal and a secure computer is generated by using a common key stored in 

.9. 
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1 the secure computer and a retailer smart card. 

It is clear from the inventions mentioned above that the architecture of a secure electronic 
commerce system involves a public key infrastructure and digital certificate authority associated 
with it. 

5 On an open network, a secret key-based system is less flexible in terms of key distribution 

and key management, and is more subject to malicious attack. On the other hand, a 
public/private key-based system, with all its advantages over the secret key system, has its own 
daunting task of authenticating transaction parties to one another. The current invention presents 
another system and method, which replaces the need for certificate authorities and digital 

10 certificates. The current invention is a hybrid system for electronic transactions. The hybrid 
system uses public/private keys during the key exchange phase and uses a session key as a secret 
key during the transaction phase. 

SUMMARY OF THE INVENTION 
1 5 The invention is a cryptographic system and method for electronic transactions by using 

an electronic card (EC) in the form of a smart card or equivalent software and communicating 

over a communications network. 

The preferred embodiment of the invention uses an open network, such as the Internet. 

Alternative embodiments of the invention may use other types of networks. An embodiment of 
20 the invention may either use a physical smart card, or alternatively, a smart card, which is 

implemented as computer software package and runs on a computing device such as a personal 

computer (PC). Likewise, a merchant involved in a transaction may use a merchant device, 

which is a point-of-sale terminal, or a device, which uses software on a host computer to 

communicate with an EC and a service provider. When a smart card is used, a smart card reader 
25 is also needed to allow the card to communicate with a host device, such as a network ready 

merchant terminal, a PC, or any other electronic device, which is capable of supporting smart 

card transactions. 

In a public key and digital certificate based system, transaction participants exchange 
public information through the use of digital certificates or other electronic credentials which are 

30 issued and certified by a certificate authority (CA) or credential binding server. The 
communication between the CA or the server and each participant of the transaction must be 
secure. Random numbers and digital signatures are used to ensure the authenticity and validity 
of the messages transmitted among the participants. 

The cryptographic system and method of the preferred embodiment of the invention also 

35 uses public/private key cryptography, but it works in a slightly different way. The cryptographic 
system and method does not seek to create another kind of trust relationship as the one that exists 
between holders of digital certificates and the certificate authorities. It particularly targets large 
membership-based financial institutions such as a large credit card company and all its 
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1 cardholders, or a major bank and all its ATM cardholders as its potential users. Non-financial 

institution can also use this cryptographic system and method to conduct commercial or non- 
financial transactions over a network. 

A service provider (SP) provides some service to its members. Financial institutions are 

5 just one kind of service provider. A service provider can also be non-financial in nature. 
Regardless whether a service provider is a financial institution or a non-financial institution, 
essentially the same process occurs. The only difference between a transaction involving a 
financial institution and a transaction involving a non-financial institution is that the messages 
may include different data fields. 

1 0 When an EC holder signs up with one of the service providers, the service provider creates 

a dedicated entry on the EC. Each entry contains the account information for the service 
provider, the SP's public key, access control information, and other related data. Each EC can 
support a predetermined number (e.g. ten) of such entries and each such entry is a representation 
of one service provider. 

15 By using the public/private key cryptography, the key distribution process is much 

simplified. The EC holder him/her/self or any trusted third party such as a bank branch or even 
a post office can perform the task. The SP's public key is only used for the initial key exchange 
between the SP and the cardholder. After the initial key exchange step, the SP assigns a session 
key, which protects any further message exchange between the cardholder and the SP or between 

20 the cardholders' themselves. 

This hybrid system, which uses both public key/private key cryptography and secret key 
cryptography (i.e., session key), is in contrast to other secret-key systems in that in the hybrid 
system, the secret key (i.e., session key) is valid for a single session and is not applicable to other 
sessions. A session has a determinate length of time. A session may terminate based upon a 

25 time period or upon conditions being satisfied. 

Where a merchant is involved in a transaction, the merchant goes through essentially the 
same procedures as the EC holder to communicate with the SP. The merchant will first perform 
a key exchange with the SP and receive a session key. The session key will be used by the 
merchant for subsequent communication with the SP. The cardholder and the merchant digitally 

30 sign each message going to the SP and the SP similarly signs the response message going back 
to the cardholder and the merchant. 

In the event that a transaction requires interactions with another certificate-based system, 
the SP, after authenticating the cardholder and the merchant based on further information 
exchange after the initial key exchange, can act as a surrogate-certificate for the cardholder and 

35 the merchant. In the most extreme case, the SP performs solely this surrogate function and 
becomes a gateway for the certificate-based system. This type of hierarchy is highly desirable 
since it reduces the number of trust relationships needed to carry out a transaction among 
multiple systems. In addition, it eliminates the users' need to carry certificates. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram showing the relationship among the components of a 
system according to an embodiment of the invention. 
5 Figure 2 shows the flow of the two transaction phases via a network. 

Figure 3 is the diagrammatic representation of an EC. 

Figure 4 shows the format of the service provider data area. Each service provider's 
information is allocated an entry in the table and is protected by access conditions. 

Figure 5 shows how the digital signatures are used in an embodiment of the invention. 
10 Figures 6 A through 6Q shows the schematic flow chart of the cryptographic system and 

method used in an embodiment of the invention in order to conduct electronic transactions via 
an open telecommunication network, such as the Internet. 

Figure 7 through Figure 1 1 depicts the final format and content of the combined request 
and response messages in the key exchange phase and the transaction phase. 
15 Figure 12 shows a service provider conducting a transaction with participants that have 

been arranged in series. 

Figure 13 shows a service provider transaction on a network with participants that have 
been arranged in a hierarchical organization scheme. 

20 

DETAILED DESCRIPTION 

The preferred embodiment of the invention is a cryptographic system and method for 
electronic transactions by using an electronic card (EC) in the form of a smart card or 
equivalent software and communicating over a communications network. 

25 In the preferred embodiment of the invention, the network is an open network such as 

the Internet. In alternative embodiments of the invention, other open networks and/or closed 
networks may be used to establish communication between a service provider and its 
members. For example, a service provider may use its own proprietary financial network to 
communicate with its members. 

30 Any Internet protocol may be used for Internet connections. Example protocols, 

which can be used include TCP/IP, UDP, HTTP, and the like. 

Communication may also be via a communications network transport service such as 
the Public Switched Telephone Network (PSTN) usingtraditional analog telephone service 
(a.k.a. Plain Old Telephone Service or POTS), or by using a digital communication service 

35 such as a T-l, El or DS-3 data circuit, Integrated Services Digital Network (ISDN), Digital 
SubscriberLine (DSL) services, or even using a wireless service, and the like. When 
implemented using such a service the invention may be implemented independent of a 
communications protocol (i.e. at an electrical interface layer). 

-5- 
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1 Communication may also be via a local area network (LAN) or WideArea Network 

(WAN) such as Ethernet, Token Ring, FDDI, ATM or the like. Example protocols, which 
can be used include TCP/IP, IPX, OSL and the like. 

Other communication links might include an optical connection, a wireless RF modem 

5 connection, a cellular modem connection, a satellite connection, etc. 

The invention may be employed as long as a communication path can be established 
between a service provider and its members. The examples above are intended to illustrate 
several examples of the various communications environments in which the invention may be 
practiced. As is clear to one ordinarily skilled in the art, the invention is not limited to those 

1 0 environments detailed above. 

The EC can take the form of a smart card device or a software package running on a 
computer system such as a personal computer (PC). When the EC is implemented on a smart 
card, it can be used on a network-ready computer system such as a PC to transact with another 
member and/or a selected service provider. It will need a read/write interface device to 

1 5 communicate with a computer system and some application software such as an Internet browser 
to interface with the cardholder and the network. If the EC is a software package loaded into a 
computer system, then no read/write interface is needed. The exemplary embodiment of the 
invention is for the EC to act as an electronic wallet (or cyber wallet) which functions similar 
to real wallet. A real wallet can carry credit cards, debit cards, ATM cards, health provider 

20 cards, membership cards, cash, etc. An EC has the digital equivalent of all the above-mentioned 
financial and non-financial instruments and enables conducting secure transactions over the 
Internet. 

A service provider member can be a merchant and/or an EC cardholder. A merchant is 
a member who is paid by the service provider as a result of a transaction. A member can be both 

25 a merchant and an EC cardholder. A merchant may engage in a transaction with other 
cardholders, which results in the merchant being paid by the service provider. A merchant may 
also be an EC cardholder and purchase supplies, for example, from a merchant supplier. 

The cryptographic system may involve communication between a service provider and 
any number of service provider members. Thus, communication can be between an EC and an 

30 SP, between a merchant and an SP, between a first EC, a second EC, and an SP, between a first 
merchant, a second merchant, and an SP, etc. An EC may communicate directly with a service 
provider to inquire about an account balance for example. A merchant may communicate with 
a service provider only on his own behalf and not on behalf of an EC because, for example, the 
merchant wants to know his own account balance with the service provider. Communication 

35 between the SP and its members may follow any permutation of the SP and its members. The 
organization of the communication links between the SP and its members may be sequential 
and/or hierarchical. Communication between the SP and its members may also be via routers, 
which route the messages between the SP and its members. 
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1 The cryptographic method is a two-phased key-exchange-transaction model. The first 

phase is a key exchange phase. The second phase is the transaction phase. In the key exchange 
phase, the members exchange keys with the service provider. The members send their keys to 
the service provider and the service provider uses the keys to send a session key to the members. 

5 The session key protects any further message exchange between the cardholder and the SP or 
between the cardholders 5 themselves. In the transaction phase, either the SP can direct the 
transaction or the cardholders themselves may conduct the transaction. 

Figure 1 is a block diagram showing the relationship among the components of a system 
according to an exemplary embodiment of the invention involving a cardholder, a merchant, and 

10 service provider. 

An EC cardholder 20 can conduct a transaction over a network 50 and communicate with 
a merchant either by using an EC read/write device 82 attached to an originating computer 84 
or by using EC equivalent software 92 running on an originating computer unit 90. 

A merchant can conduct a transaction over a network by either using a network-ready 
1 5 point-of-sale(s) (POS) terminal 40 or by using EC equivalent software running on a merchant 
device 70 to conduct an electronic transaction with a selected service provider 60 via a network 
50 such as the Internet. 

Once the access conditions to the card have been satisfied, the cardholder can perform 
financial or non-financial transactions with other participants of the system through the network 
20 50. In Figure 1 , there are three different scenarios in which a transaction over a network can be 
conducted. 

(1) In a POS transaction (Upper left side of figure 1), the cardholder 20 swipes/inserts an 
EC through/into a merchant's EC reader/writer 30 at a merchant's premises. The EC 
reader/writer is connected to a network-ready merchant POS terminal 40. The network- 

25 ready merchant POS terminal 40 is a secure tamper-resistant programmable device 

comprising an input means such as a keyboard, a display device, a processing unit, and 
an EC read/write device 30 (an EC interface device). It is typically a small computer 
unit such as a PC equipped with a communication link to an open network. The POS 
terminal communicates to the SP via the network 50. 

30 (2) (Right side of figure 1 ) A cardholder can conduct a transaction with other participants 

of the system by inserting the EC 20 into a read/write device 82, which is connected to 
the cardholder's personal computer 84 which is the originating computer. The 
originating computer connects to a network 50 allowing the EC to communicate with 
the merchant computer unit 70. The merchant computer unit 70 has EC equivalent 

35 software 72 that enables the merchant to receive the EC generated message and 

generates a message combining EC information and merchant information. Then, the 
combined message is sent to the SP over a network. 
(3) (Bottom side of figure 1) A cardholder can conduct a transaction with other participants 
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1 of the system by using EC equivalent software 92 on the customer cardholder's personal 

computer 90. The transaction begins at the originating computer unit 90, that is, the 
cardholder's personal computer. The cardholder conducts the transaction over a 
network 50 and communicates with the merchant's computer unit 70, which in turn 
5 communicates with the SP 60 over a network 50. 

While in the preferred embodiment of the invention, a personal computer is used to hold the 
EC equivalent software, in alternative embodiments of the invention other electronic devices can 
be used to hold the EC equivalent software. 

In the preferred embodiment of the invention, the network used to enable the EC to 
10 communicate with the merchant is the same network used to enable the merchant to 
communicate with the SP. In another embodiment, the network used to enable the EC to 
communicate with the merchant may not be the same network used to enable the merchant to 
communicate with the SP. In yet another embodiment, the network used to enable one merchant 
to communicate with the SP may not be the same as the network used to enable another merchant 
1 5 to communicate with the SP. In still yet another embodiment, the network used to enable an EC 
to communicate to the merchant may not be the same as the network used to enable another EC 
to communicate with another merchant. An embodiment may consist of a multiplicity of 
networks whereby different parties communicate. 

In the preferred embodiment of the invention, a transaction is broken down into two phases: 
20 a key exchange phase and a transaction phase. Figure 2 is a specific case, which illustrates the 
two-phase key-exchange-transaction model where the SP directs the transaction phase. There is 
no direct exchange of sensitive information between participants when the SP directs the 
transaction. 

The key exchange phase is the same where the transaction phase is among the cardholders 
25 themselves and where the SP directs the transaction phase. Where the transaction phase is 

among the cardholders themselves, the cardholders use the SP session key to communicate with 

each other and conduct a transaction. 

Figure 2 demonstrates a financial transaction where the SP directs the transaction phase. 

The transaction shown involves three parties: an EC (a transaction originator) 102, a merchant 
30 104, and a service provider (SP) 106. The originating party is an EC cardholder who is the 

consumer and is represented by the computer unit 102. The computer unit 104 represents the 

merchant. The computer unit 106 represents the service provider. An SP is selected by both an 

EC and merchant. 

Figure 2 demonstrates a financial transaction wherein the process flow is from an EC to a 
35 merchant to an SP. The cryptographic method's process flow is not limited to any particular 
order between merchants and EC cardholders. Figure 2 is merely an example of a particular 
transaction, which flows from EC to merchant to service provider. The process flow can also 
go from merchant to EC to service provider. Figure 2 demonstrates how service provider 
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1 members (in this case, the EC cardholder and the merchant) create, append, and send messages 

to a service provider. 

The ten arrows numbered 1 to 10 in figure 2 show how the messages flow among the three 
parties during the two transactions phases. Steps 1 through 4 belong to the key exchange phase 

5 and steps 5 through 10 belong to the transaction phase. In figure 2, the merchant serves as an 
intermediary between the EC and SP. In step 1 , the key exchange request is formatted by the EC 
and sent to merchant. In step 2, the merchant combines his own key exchange message with the 
EC's key exchange message and sends the combination key exchange message to an SP. In 
step 3 S the SP formats a key exchange response for the merchant formats a key exchange 

10 response for the EC, combines the key exchange responses to form a combined key exchange 
response and sends the combined key exchange response to the merchant. In step 4, the 
merchant separates the key exchange response for the merchant from the key exchange response 
for the EC and forwards the EC's key exchange response message back to the EC. Step 4 
concludes the main activities in the key exchange phase. 

1 5 The transaction phase begins with step 5. In step 5, the EC formats its transaction request 

message and sends it to merchant. In step 6, the merchant combines the received transaction 
request message with his own transaction request message and sends the combination transaction 
request message to the SP. In step 7, the SP formats a transaction response message for the 
merchant, formats a transaction response message for the EC, combines the transaction response 

20 messages and sends the combined transaction response message back to merchant. In step 8, the 
merchant separates the transaction response message for the merchant from the transaction 
response message for the EC and forwards the EC's transaction response message back to the 
EC. In step 9, the EC formats a confirmation message and sends it to the merchant. In step 1 0, 
the merchant combines the received confirmation message with his own confirmation message 

25 and sends the combination confirmation message the SP. Step 1 0 concludes the transaction 
phase of a transaction. 

While figure 2 demonstrates a simple transaction, some transactions may involve multiple 
messages. During some transactions, more than one message may be required to complete each 
phase, in which case, those messages will follow the same rules of combination and flow pattern. 

30 For example, during the transaction phase, the SP may require that the EC and the merchant send 
over account information first. If the account information is verified to be valid, the SP sends 
confirmation of the account information in the response message. Once the merchant and the 
EC receives the response message, then the EC and the merchant send the transaction amount 
and other transaction related information in the next message going to the SP. The SP 

35 subsequently approves or disapproves the transaction. The steps in figure 2 apply to both the 
account message and the transaction message. 

If the completion of a transaction requires interaction with some external system such as 
a public key and digital certificate based system 108, the SP will act as a surrogate-certificate 
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1 for the EC and the merchant and deal with the external system on behalf of the EC and the 
merchant. A desired result of the invention is to shield all of the participants of a transaction 
from an external system and therefore reduce the number of trust relationships needed to 
complete a transaction. If a participant of a transaction has dual membership of this system and 

5 an external system, then he has a choice of either acting as a member of this system or as a 
member of an external system. In the latter case, the SP will interface with the participants using 
the rules of an external system. For example, to deal with an external public and digital 
certificate or credential based system, the SP has in its possession all of the required certificate(s) 
or credential(s) which satisfies the trust relationship demanded by the external system. Such 

1 0 credentials are required in order for the SP and the external system to complete the transaction 
initiated by the EC and the merchant. In this case, only the SP needs to have a trust relationship 
with the external system. Based on this trust relationship, individual ECs and merchants are able 
to complete transactions with the hypothetical external system. 

Figure 3 is a diagrammatic representation of a preferred embodiment of an EC. In a 

1 5 preferred embodiment of the invention, an EC is internally composed of the software/hardware 
components shown in Figure 3. The EC is ISO 7816-based and supports the same kind of 
communication protocols and commands as defined in ISO 7816. 

The EC has a card operating system 550 to manage the EC's internal resources. The on- 
card cryptographic service 650 can be implemented in software or be provided by a 

20 cryptographic co-processor (not shown in figure 3), or other hardware solutions, or a hybrid of 

software and hardware. 

One of the unique features of the EC is the service provider data area (SPDA) in the EC 
memory, which contains the service providers' account and key information. The service 
provider data area (SPDA) 700 contains a number of slots. In the preferred embodiment, the 

25 SPDA contains a pre-defined number (e.g. ten) of slots » one for each potential service provider. 
In another embodiment, the number of slots may be dynamically changed. A record for each 
service provider can be placed into an empty slot. Each record contains the account number, 
public key, and other related information for a specific service provider. 

Depending on the EC design, the SPDA can optionally allow each SP to include some 

30 software (such as an "applet" in the JAVA terminology) to manage its own on-card data and 
provide an interface between the SP card data and the host application. In other words, the SPDA 
can contain more than just simple data; it can allow each SP to put a self-contained application 
program (such as an applet) on the EC to provide its own unique service to the cardholder. The 
advantage of this type of design is that the EC itself is now detached from the type of service it 

35 can provide. Each SP can bring with it its own service capability. When another SP replaces 
an on-card SP, there will be no change necessary to the EC platform. The new SP applet is 
simply loaded into the card and it will perform what it is designed to do. 

In the SPDA, each service provider is allocated space for public keys. In many transactions, 
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1 only one key pair is used, but for some online transactions, two or more key pairs are required. 

If the SP uses the same public/private key pair for both the incoming and the signing of outgoing 
messages, then one public key is enough. If the SP uses a different key pair for signing, then 
both SP public keys (one for incoming messages and one for the signing of outgoing messages) 

5 are required in the SPDA. 

In the preferred embodiment of the invention, two public/private key pairs rather than one 
public/private key pair is used to communicate with other applications through a network 
because using two public/private key pairs rather than one public/private key pair provides 
greater security. One pair is used for decrypting an incoming message, i.e., the sender encrypts 

1 0 the message using the recipient's public key and the recipient decrypts the message using the 
corresponding private key. The other pair is for the sender to digitally sign the message he sends 
out and the recipient to verify the digital signature using the corresponding sender's public key. 

Each service provider is allocated space for the number of public keys used by the service 
provider. If the SP uses the same public/private key pair for both incoming messages and 

1 5 signing of outgoing messages, then one public key is enough. If the SP uses different key pairs 
for receiving and signing messages, then both of the SP's public keys are required in the SPDA. 

In an alternative embodiment of the invention, more than two public/private key pairs may 
be required and used by a service provider for even greater security. 

When an EC holder is issued a new financial or non-financial instrument, the issuing 

20 institution or a trusted third party will load the needed information comprising a record into an 
available slot. The information in the slot can be erased when the service provider account is 
closed. Some of the information in a slot can be read and modified during a transaction, e.g. an 
account balance. Some information such as account number is write protected, but can be read. 
Some information such as a private key is both read and write protected. The access conditions 

25 600 contain security information such as PINs, biometric data, etc., that an EC user must submit 
to open the card for use or to gain access to the information stored on the card. 

Traditional Personal Identification Numbers (PINs) or other security measures such as 
biometrics data are used to protect the EC. Biometrics involves the measurement of a 
cardholder's biological traits, such as physical traits and behavioral traits. A biometric system 

30 may measure an individual's fingerprints, hand-geometry, hand writing, facial appearance, 
speech, physical movements, keyboard typing rhythms, eye features, breath, body odor, DNA, 
or any other physical attribute of the cardholder. The functions provided by an EC can be 
activated only after all the access conditions have been satisfied. Each service provider residing 
on the card can optionally implement other access conditions. 

35 Figure 4 shows the format of the service provider data area of a preferred embodiment of 

the invention. Each service provider's information is allocated an entry in the table, which can 
be protected by additional access conditions. The PIN 712 and the miscellaneous data field 714 
allows the service provider to provide extra protection or data field to the instrument it supports. 
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The name field 702 contains the names of the service providers, which can be used by the 
cardholder at the beginning of an online transaction to initially select the applicable service 
provider for a transaction. The key type field 704 specifies the type of key the service provider 
chooses to use, secret key, public key, etc. The key value 706 and account information fields 
708 contain information unique to each service provider. The card type field 710 specifies the 
type of instrument a service provider supports. 

In the preferred embodiment of the invention, the on-card Operating System (COS) 
provides some fundamental services for the cardholder. Following is a list of general functions 
which can be performed by the COS: 



(1) Traditional OS functionality such as Memory management, task management, etc 

(2) External communication-read/write of user data and communication protocol handling. 

(3) Loading and updating of on-card cardholder information. 

(4) User PIN changes. 

1 5 (5) Service Provider Data Area management-such as loading and updating of individual service 
provider information, SPDA access control, etc. 

The COS will also provide support during various stages of a transaction. For example, the 
COS can handle the SP selection at the beginning of a transaction and record the transaction into 
20 a log file when the transaction has been completed. An embodiment of the invention may 
implement one of the following two design approaches to the COS or a hybrid of the two design 
approaches: 

(1 ) Most of the intelligence can be put into the COS whereby the COS supports most of the EC 
functionalities. Consequently, each on-card service provider area relies on the COS to carry 

25 out the transaction with the merchant and the SP. In this approach, the COS can provide 

a uniform interface with the outside world for all on-card SPs and efficiently carries out the 
transaction once a SP has been selected, 

(2) Alternatively, the COS can be a pool of general services each on-card SP can utilize. Each 
SP data area can contain applets, which have the intelligence to carry out a transaction with 

30 the merchant and the SP. In this approach, the SP has more opportunity to implement its 

own unique feature when performing a transaction. 

Figure 5 shows how digital signatures are used in the preferred embodiment of the 
invention. A sender of a message first prepares and sends the data portion of a message M 900 
through a one way hash algorithm, H(*) 902. The output from the hash algorithm is called the 
35 message digest MD of message M 903. The MD is then encrypted, E(*) 904, i.e. digitally signed, 
using the sender's private key (Pri). The result is called the digital signature DS of a message M. 
The DS is then combined with the original message M 900 and forms a complete message 906 
ready for transmission to a recipient through a network 50. 
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1 The public-key encryption/decryp lion function can be any of a number of 

encryption/decryption functions. RSA, which takes its name from the first initials of RSA 
developers' last names (Ronald RivesL Adi Shamir, and Len Adelman), is just one example of 
a public-key encryption/decryption method, which can be used in an embodiment of the 

5 invention. 

When the intended recipient receives the message from a network 50, he first separates the 
data portion of the message M 900 from the digital signature 912 combined with it. The 
recipient then runs the data portion of the message M 900 through the same hash algorithm 910 
that was used to encode the data portion of message M 900, and consequently obtains a message 
10 digest MD A 911 of M. The recipient then decrypts D(*) 908 using the EC's public key, the 
digital signature 912 contained in the original message using the sender's public key and 
recovers the original message digest, denoted here as MD 909. MD 909 is compared with the 
new calculated MD A 91 1 for correctness. If they are not identical, the original message has been 
corrupted and should be rejected. 

15 

Following is a list of symbols and abbreviations used in the figures 5 through 11: 

Acknowledgement Data EC = A part of the message sent back by the EC to the SP. It notifies the 

SP that the previous message has been successfully received and processed. 

Acknowledgement Data M = A part of the message sent back by the merchant to the SP. It 
20 notifies the SP that the previous message has been successfully received and processed. 

AI EC = Account information of EC holder. 

AI M = Account information of merchant. 

CRYPTO = Cryptogram 

D = Decryption function 
25 D SP . Privale . Kcy = Decryption using SP' s private key. 

DS = Digital signature function. 

DS EC . Private . Kcy = Digital signature signed by the EC on a message. 
DSM-Private-Kcy^ Digital signature signed by the merchant on a message. 
DS SP . Privalc . Kcy = Digital signature signed by the SP on a message. 
30 E = Encryption function. 

E (Data) = Encryption of data under a data encryption key. 
E SP -pk> E sp-PubiicKcy = Data encrypted by SP public key 

E skcy-Ec D skcy-Ec = Encryption/Decryption using the session key that the SP generated for the EC. 
Eskcy-M. D skcv _ M = Encryption/Decryption using the session key that the SP generated for the 
35 merchant. 

EC = Electronic card, or electronic card equivalent software 

H (M) = Apply a one-way hashing algorithm on M. It generates the message digest (MD) of M. 
KE = Key exchange phase. 
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1 M = Merchant 

MD = Message Digest 

MD A = Message Digest produced by message recipient using the message just received as input 
data. 

5 MD EC = The message digest of a message going from EC to SP. 

MD M = The message digest of a message going from merchant to SP. 
MD SPM = The message digest of a message going from SP to merchant. 

MD SP . EC = The message digest of a message going from SP to EC which is by passed by 
merchant. 

10 PLAIN TEXT: Transaction data, which can be transmitted without encryption. Plain text can 
be different for different messages and transaction parties. 

PLAIN TEXT EC = Part of the transaction data provided by EC in its outgoing messages. Plain 
text data fields are not security sensitive. Therefore, they are transmitted without encryption. 
Note that the content of this symbol can be different when used in a different message. 
15 PLAIN TEXT M = Part of the transaction data provided by merchant in its outgoing messages. 
Plain text data fields are not security sensitive. Therefore, they are transmitted without 
encryption. Note that the content of this symbol can be different when used in a different 
message. 

PLAIN TEXT SP . EC = Part of the transaction data provided by SP for EC only in its outgoing 
20 messages. Plain text data fields are not security sensitive. Therefore, they are transmitted without 
encryption. Note that the content of this symbol can be different when used in a different 
message. 

PLAIN TCXT SP . M = Part of the transaction data provided by SP for merchant only in its outgoing 
messages. Plain text data fields are not security sensitive. Therefore, they are transmitted without 
25 encryption. Note that the content of this symbol can be different when used in a different 
message. 

STD = Sensitive transaction data, which requires encryption during data transmission. 
STD EC = Sensitive transaction digital data provided by EC in its outgoing messages. Note that 
the content of this symbol can be different when used in a different message. 
30 STD M = Sensitive transaction digital data provided by merchant in its outgoing messages. Note 
that the content of this symbol can be different when used in a different message. 
PK = Public key 

EC-PK, PK EC = Public key of the electronic card. 
M-PK, PK M = Public key of the merchant. 
35 SP-PK, PK SP = Public key of the selected service provider. 

Response Data^ = A part of the message sent back by the SP to the EC during the transaction 
phase of a transaction. It can include approval/disapproval data and/or any other relevant data. 
Response Data SP . M = A part of the message sent back by the SP to the merchant during the 



WO 99/57835 



PCT/US99/09938 



1 transaction phase of a transaction. It can include approval/disapproval data and/or any other 
relevant data. 
RN = Random number. 

RN EC = Random number generated by the EC and is sent to SP. 
5 RN SP . EC = Random number generated by the SP and is sent to EC. 

RN M = Random number generated by the merchant. 

RNsp-m = Random number generated by the SP and is sent to M. 

SP = Financial or non-financial service provider 

TA = Transaction (currency) amount. 
1 0 Transaction Identification Number SP . EC , TTDsp^ (Transaction ID SP . EC ) = A data field whose value 

is assigned by the SP during the key exchange phase of a transaction. The EC will use this value 

to communicate with the SP during the same transaction. 

Transaction Identification Number SP . M , TID S p. M (Transaction ID SM4 ) = A data field whose value 

is assigned by the SP during the key exchange phase of a transaction. The merchant will use this 
1 5 value to communicate with the SP during the same transaction. 

* = Combine or concatenation of data within an encryption E or a decryption D. 

Figures 6A through 6Q comprise the flowchart for a preferred embodiment of the 

cryptographic system and method. For the purpose of simplifying the description and symbolism 

contained in figures 6A through 6Q, the flowchart assumes that each of the parties involved in 
20 the transaction uses one key pair. In another embodiment of the invention, two public key pairs 

may be used, in which case, both public keys need to be exchanged. 

The preferred embodiment of the invention consists of two distinct phases: the key 

exchange phase and the transaction phase. 

25 PHASE I: KEY EXCHANGE PHASE (HANDSHAKE PHASE) 

The EC cardholder inserts the EC into a card read/write device or starts the EC equivalent 
software and enters a PIN number and/or satisfies the access conditions 1 1 0 to use the EC card. 
The entered security information conditions is compared 112 with the on-card information 114 
to verify that user is authorized to use the EC. If the security information does not match the 

30 card security information, then the request to use the card is rejected 1 16. Otherwise, the card 
is unlocked 1 18 for use. Once the card is unlocked, the user can request the list of the on-card 
SPs available for selection and make a selection 120 by issuing an SP selection command to the 
EC. Once the SP is selected, the EC proceeds to start the key exchange (KE) with the SP. The 
public key of the selected SP, represented by the symbols SP-PK and PK SP- is obtained from the 

35 EC's SPDA and is used to encrypt messages that will be sent to the SP. 

The main purpose of the KE is to securely send the cardholder's public key, PK EC 126 and 
an EC random number, RN EC 124 to the SP. The SP response to the EC is to assign a session key 
and a transaction ID to the EC, which will be used by the EC to communicate with the SP for the 

-15- 



JSDOCID: <WO 9957835A1 I > 



WO 99/57835 



PCT/US99/09938 



1 rest of the transaction. To format the KE message, the EC generates a random number, RN EC 

124, concatenates it with the EC's public key, PK EC 126, and EC sensitive transaction data 
STD EC 128 relevant to the transaction and/or required by the SP. The EC encrypts them 122 
using the SP's public key, PK SP , retrieved from the SPDA 120. The resulting EC cryptogram, 

5 E ESPK (RN EC *PK EC *STD EC ), is then combined 130 with the plain text portion of the message, 
PLAIN TEXT EC 1 32, if any, to form an EC combination message, PLAIN TEXT EC *E SP . 
PK (RN EC *PK EC *STD EC ). The EC's public key PK EC 126 may be placed in the plain text PLAIN 
TEXT EC instead of being encrypted when forming the EC combination message. 

Only sensitive data is encrypted. Non-sensitive response data is included in the plain text. 

10 Only the SP is able to read the sensitive data. In a multi-party transaction, the SP has full access 
to the sensitive information of all the participants. 

The resulting EC combination message is then sent through a hashing algorithm 134 to form 
a hash message, which is the EC message digest MD EC . The EC message digest MD EC is 
digitally signed by the EC 136 using the EC private key 138 to form a digitally signed message 

15 DS EC . Private . Key . The digitally signed message DS EC . Private . Kcy is then combined 140 with the EC 
combination message. The combination of the plain text PLAIN TEXT EC , cryptogram 
CRYPTO EC and the digital signature DS EC . Privale . Key is the KE message from the EC and is sent to 
the merchant 158 through a network. Plain text includes all the transaction data fields that are 
not sensitive in nature and therefore can be transmitted in a clear, discemable form; they do not 

20 need to be encrypted. These data fields are different for each message and are defined by the 
transacting parties. 

To communicate with the SP, the merchant goes through essentially the same steps to 
format its own KE message with the SP as the EC goes through to format the EC's KE message 
with the merchant. The cardholder and the merchant do not communicate with the SP 

25 individually, but through a combined message. Consequently, there will be no need to exchange 
any confidential financial information between the cardholder and the merchant. The merchant 
prepares his device for the transaction 142 and selects from his own SPDA, which resides within 
the merchant's device, the same SP as the EC cardholder has selected for the transaction 144. 
The public key of the SP, represented by the symbols SP-PK and PK SP is obtained from the SP's 

30 SPDA and is used to encrypt messages that will be sent to the SP. 

To format its own KE message, the merchant generates a random number, RN M 148, 
concatenates it with the merchant's public key, PK M 150, and the merchant's sensitive 
transaction data STD M Sensitive transaction data is data that is relevant to the transaction and/or 
required by the SP 1 52. The merchant encrypts 146 the combined data using the public key of 

35 the service provider, PK SP . The resulting cryptogram is then combined 154 with the plain text 
portion PLAIN TEXT M 156 of the message, if any, to form a merchant combination message. 
The merchant's public key PK M 150 may be placed within the plain text PLAIN TEXT M instead 
of being encrypted when forming the merchant combination message PLAIN TEXT M *E SP . 
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1 PK (RN M *PK M *STD M ). 

The merchant combination message [PLAIN TEXT M *E SP .p K (RN M *PK M *STD M )] is further 
combined 158 with the EC's KE message {[PLAIN TEXT EC *E SP . PK (RN EC *PK EC *STD EC )]*DS EC . 
, } to form the data portion of the KE message for both the merchant and the EC, i.e., the 
5 EC-merchant combination message {[PLAIN TEXT EC *E SP .p K (RN EC *PK EC *STD EC )]*DS EC . Pfirale . 
Kcv }*[PLAJN TEXT m *E smk (RN m *PK m *STOm)]. The EC-merchant combination message is sent 
through a hashing algorithm 1 60 to form a hash message, which is the merchant message digest 
MD M . The merchant message digest MD M is digitally signed 162 by the merchant using the 
merchant's private key 164 to form a merchant digitally signed message DS M . Private Key . The 
1 0 merchant digitally signed message DS M . PrjvaIe Ke) . is then combined 1 66 with the data portion of 
the message, i.e., the EC-merchant combination message to form a key exchange request 
message « { [PLAIN TEXT^* E SP . PK (RN EC *PK EC *STD EC )] * DS EC . Private . Key } * [PLAIN TEXT M 
* E SP . PK (RN M *PK M *STD M ) ] » * DS M . Pfivale . Key for both the merchant and EC. This final message 
is sent to the SP through a network. Figure 7 represents the final format and content of the key 
1 5 exchange request message from a merchant to an SP. 

In the preferred embodiment of the invention, the merchant does not check the MD of the 
EC's request message MD EC because the EC encrypts his public key. However, in an alternate 
embodiment of the invention, if the EC chooses not to encrypt his public key then the merchant 
can optionally check the EC's MD before passing it to the SP. In either the case where the EC 
20 encrypts his public key or where the EC does not encrypt his public key, for enhanced security 
and to avoid possible processing errors by the merchant, the SP can still check the EC's MD. 
When the merchant receives a combination response from the SP for both himself and the EC, 
the merchant does not have to check the MD for the EC since it is part of the overall message 
formed by a single originator - the SP. The merchant only needs to check the MD of the overall 
25 message he receives from the SP. 

When the SP receives the KE request message, the SP first separates 168 the data portion 
of the KE request message from the DS and feeds the data portion of the KE request message 
into a one-way hash algorithm to recalculate the message digest, which becomes MD M . The SP 
then separates the merchant's plain text PLAIN TEXT M , cryptogram CRYPTO M , digital 
30 signature DSm^-*^ and the EC's KE request message PLAIN TEXT EC * CRYPTO EC 
*DS EC . Privatt . Kev . Using its own private key, the SP decrypts merchant's cryptogram 170 and 
recovers, among other information, the merchant's random number RN M 148 and the merchant's 
public key PK M 150. The SP then uses the recovered PK M to decrypt the digital signature signed 
by the merchant DS,***,^ and recovers the MD M for the merchant's KE message. The SP 
3 5 compares 1 72 the newly hashed MD A M 1 68 with the MD M 1 70 recovered by decrypting the DS 
from the original KE message. If there is a discrepancy between MD A M and MD M found, then 
the KE message has been corrupted and is therefore rejected 1 74. If MD A M and MD M match, then 
the SP separates the data portion of the EC's KE request message from the DS and feeds the data 

-17- 



JSDOCID: <WO 9957B35A1_L> 



WO 99/57835 



PCT/US99/09938 



1 portion of the EC's KE request message into a one-way hash algorithm to recalculate the 

message digest (MD A EC ). The SP then separates the EC's plain text PLAIN TEXT EO if any, 
cryptogram CRYPTO EC , and digital signature DS MvMK ««. in the data portion of the EC's KE 
request message 176. Using its own private key, the SP decrypts EC's cryptogram and recovers, 

5 among other information, EC's random number RN EC and EC's public key PK EC . The SP then 
uses the recovered PK EC to decrypt the digital signature signed by EC and recovers the MD EC for 
EC's KE message. In the step 178, SP compares the newly hashed MD A EC 176 with the MD EC 
recovered by decrypting the DS from the original KE message. If there is any discrepancy 
found, the KE message has been corrupted and is therefore rejected 180. Otherwise, SP is ready 

1 0 to send a KE response message back to merchant and EC. 

To format the KE response message for the EC, the SP generates a random number, RN SP . EC 
184, and a session key Skey EC 186 for the EC, combines them with the EC generated random 
number, 188 RN EC , service provider sensitive transaction data STD SP . EC 190 and encrypts them 
192 using the EC's public key PK EC . The resulting cryptogram, 

15 E EC . PK (RN EC *RN SP . EC *Skey EC *STD SP . EC ), is combined 196 with a transaction identification 
number, TIDsp.ec 194 assigned to the EC by the SP and plain text, PLAIN TEXT SP . EC 195, if any, 
to form the data portion of the response message for the EC. The SP runs this data through a 
hash algorithm to calculate the message digest MD SP . EC 1 98. Using its own private key 202, the 
SP creates a digital signature DS SP . Private . Kev 200 for the response message by digitally signing the 

20 message digest MD SP . EC . After combining 204 the data portion of the message with the newly 
calculated DS SP . Private . Kcy , the SP's KE response message for the EC is complete, 
[TID SP . EC *PLAINTEXT SP . EC *E EC . PK (RN S p. EC *RN EC *Skey EC *STD EC )]*DS SP . Private . Key . 

To format the KE response message for the merchant, the SP generates a random number 
RN SP . M 208 and a session key Skey M 2 1 0 for the merchant and combines them with the merchant 

25 generated random number RN M 2 1 2, sensitive transaction data STD SP . EC 2 1 4 and encrypts them 
206 using the merchant's public key PK M recovered in 170. The resulting cryptogram is 
combined 216 with a transaction identification number, TID SP . M 218, assigned to the merchant 
by the SP and plain text, PLAIN TEXT SP . M 220, if any, to form the data portion of the response 
message for merchant. The resulting combination message, TID SP ^,*PLAIN 

30 TEXT SP . M *E M . PK (RN SP . M *RN M * Skey M * STD SP . M ) is further combined 222 with the KE response 
message for the EC, [TID SP . EC * PLAIN TEXT SP . EC *E EC . PK (RN SP . EC ' ,, RN EC *Skey EC *STD EC )]*DS SP . 
Priv.. e -K e y» to form the data portion of the SP's final KE response message, [TID SP . EC * PLAIN 
TEXT SP . EC *E EC . PK *(P^ SP . EC *RN^ TEXT SP . 
M *E MJ , K (RN SP . M *RN M *Skey M *STD SP . M )]. The SP runs the data portion through a hash algorithm 

35 to calculate the message digest 224. Using its own private key 228, the SP creates a digital 
signature, DS SP . Private . Key 226, for the response message by digitally signing the message digest. 
After combining 230 the data portion of the message with the newly calculated DS 226, the KE 
response message for both the EC and the merchant is complete. The response message 
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1 «{ [TID SP . EC * PLAIN TEXT S p. E c*(E EC .'p K *RN S p. EC *RN EC *Skcy EC *STD S p. EC )]*DS SPW¥ , 1E . 

kcv}*[TID sp . m *PLAIN TEXT S p.M + E M . PK (RN S p. M *RN M *Skey M *STD SP . M )]>>DS SP . Priv „ e . K „ is sent 
back to the merchant through a network. Figure 8 depicts the final format and content of the 
combined KE response message from the SP to the merchant. 

5 When the merchant receives the KE response message 232, the merchant first separates the 

DS SP .p rjvalc . Key , which was signed by the SP, and then feeds the data portion of the combined KE 
response message into a one-way hash algorithm to recalculate the message digest MD A SP . M . The 
merchant then separates the data portion of the SP's KE response message, i.e. r TID SP . M , PLAIN 
TEXT SP . M , CRYPTO SP . M , [(TID SP . EC * PLAIN TEXT SP . EC *CRYPTO SP . EC )]*DS SP . Priva , e . Ke> .. The 

1 0 merchant uses SP's public key (selected from 1 44) to decrypt the digital signature DS SP .pri rale . Key 
to recover the message digest MD SP . M . The merchant compares 234 the newly hashed MD A SP . M 
with the MD EC . If there is any discrepancy between MD A SP . M and MD SP . M , the KE response 
message has been corrupted and is therefore rejected 236. If MD A SP . M and MD SP . M match, then 
the merchant identifies the part of the response message which is meant for him and decrypts the 

15 cryptogram CRYPTO SP . M 238 using his own private key. The merchant should be able to 
recover the original random number RN M (of 148) that he sent to the SP in the KE request 
message. The merchant compares 240 the recovered random number RN M (of the step 238) with 
the original random number RNM. If they are not equal, then the message has been corrupted 
and the message is rejected 242. Since the random number RN M can only be recovered by the 

20 SP using the correct SP private key, it is assured that the sender of the message is indeed the 
selected SP. The merchant then forwards the EC's KE response message [(TID SP . EC *PLAIN 
TEXT SP . EC *CRYPTO SP . EC )]*DS SP . Privale . Key to the EC and prepares for the transaction phase of the 
transaction. 

When the EC receives the KE response message 260, the EC first separates the DSsp.p,^. 

25 Key. which was signed by the SP, and then feeds the data portion of the KE response message for 
the EC into a one-way hash algorithm producing a MD A SP . EC . The EC then separates the data 
portion of the message, i.e., TID SP . EC , PLAIN TEXT SP . EC , CRYPTO SP . EC , DS SP . Privale . kcy . The EC 
uses SP's public key (selected in 120) to decrypt the digital signature DS SP . Privale . key message and 
recovers the message digest MD SP . The EC compares 262 the newly hashed MD a sp .ec (in 260) 

30 with the MD SP . EC recovered by decrypting the DS SP . Private . key from the KE response message for 
EC. If there is any discrepancy between MD A SP . EC and MD SP . EC found, the KE response message 
for the EC has been corrupted and is therefore rejected 264. If MD A SP . M and MD SP . M match, the 
EC identifies the part of the response message which is meant for him and decrypts 266 the 
cryptogram CRYPTO SP . EC , which is contained in the message, using his own private key. The 

35 EC should be able to recover the original random number RN EC (of 1 24) that was sent in the EC 
KE request message. The EC compares 268 the recovered random number RN EC (of 266) with 
the original random number RN EC (of 124). If the random numbers are not equal, then the 
message has been corrupted and the message is rejected 270. Since only the SP using the correct 
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1 SP private key can recover the random number RN EC? this serves to ensure that the sender of the 

message is indeed the selected SP. The EC prepares for the transaction phase of the transaction. 

There will be a predefined timeout period set in the EC and the merchant. During a 
transaction, if a response message is not received within a timeout period, the EC and the 

5 merchant will consider the transaction aborted and will either retry or start the recovery process. 

After successful completion of the KE message exchanges, the SP has EC's public key and 
the merchant's public key. At this point, both the EC and the merchant has a random number, 
a transaction ID ; and a session key from the SP. The EC and the merchant must send the two 
random numbers recovered from the KE response message back to the SP to complete the key 

1 0 exchange phase of the transaction. This can be done in two ways. The random numbers can be 
sent back through a confirmation message from both the EC and the merchant. Or the random 
numbers can be sent back as part of the next message going out from the EC and the merchant 
to the SP, such as a transaction message. The second method is simpler and is described in phase 
II below. The random numbers are used only once to ensure the correctness of the key exchange 

15 between the SP and merchant, and the SP and EC. Once the session keys and transaction 
identification number have been established, the random number are no longer be used. 

PHASE II: TRANSACTION PHASE 

During the transaction phase, the merchant and the EC each sends their own account 

20 information such as an account number and other transaction related data such as transaction 
amount, request for approval or other processing, to the SP. Again, the EC and the merchant talk 
to the SP individually but through combined messages and the merchant is responsible for 
combining the messages and sending them as one message to the SP. 

The EC first forms the transaction message by concatenating the random number RN SP . EC 

25 274 from the SP and the EC's account information with the selected SP, AI EC 276, transaction 
amount TA 280 and any other sensitive data 278 relevant to the transaction and/or required by 
the SP. The EC encrypts 272 them using the session key Skey EC assigned by the SP. The Skey EC 
is a secret key and uses a cryptographic algorithm different from the cryptographic algorithm 
used for the public key encryption. The resulting cryptogram CRYPTO EO i.e., Skey EC (RN SP . 

30 EC *STD EC *AI EC *TA), is then combined 282 with the transaction ID TID SP . EC 284 and the plain 
text PLAIN TEXT EC 286, if any, to form the data portion of the EC's transaction message, TID SP . 
ec* PLAIN TEXT EC *CRYPTO EC . The data portion 282 is fed into a one-way hash algorithm 288 
to calculate the message digest MD EC and the MD EC is then digitally signed 290 by the EC's 
private key 292. The resulting digital signature 290 is combined with the data portion of the 

35 message (from 282) 294 to form EC's transaction request message and then sent to the 
merchant, [TID SP _ EC *PLAIN TEXT EC *Skey EC (RN SP . EC *STD EC *AI EC *TA)]*DS EC 

-Privatc-Kev* 

The merchant goes through essentially the same steps to form his transaction message. The 
merchant forms his transaction message by concatenating 246 the RN SP . M from the SP and the 
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1 merchant's account information with the selected SP, A1 M 248, transaction amount TA 252 and 

any other sensitive data STD M 250 relevant to the transaction and/or required by the SP. The 
merchant encrypts them 244 using the session key Skey M assigned by the SP. The session key 
Skey M is a secret key and is created using a different cryptographic algorithm, such as DES, from 

5 the cryptographic algorithm used for public key encryption. The session key Skey M is used to 
perform the encryption at this point to create the cryptogram CRYPTO M . The resulting 
cryptogram CRYPTO M , i.e., Skey M (RN SP . M *STD M *AI M *TA), is then combined 254 with the 
transaction ID TTDsp. M 256 and the plain text PLAIN TEXT M 258, if any, to form the data portion 
of the merchant's transaction message, TID SP . M * PLAIN TEXT M * CRYPTO M . This data is 

1 0 combined 296 with the EC's transaction request to form the data portion of the final transaction 
request message for the SP, [TID SP . EC *PLAIN TEXT EC * Skey EC (RN SP . 
EC *STD EC *AI EC *TA)]*DS EC ^ >riva ^ Key *[TID SP . M * PLAIN TEXT M *Skey M (RN SP . M *STD M *AI M *TA)]. 
As before, the merchant feeds his combined data through a one-way hash algorithm 298 to 
calculate the message digest MD M and the MD M is then digitally signed 300 by the merchant's 

1 5 private key 302. The resulting digital signature DS M . Privaie . Ke> . 300 is combined 304 with the data 
portion of the message (from 296) to form the final transaction request message and is then sent 
to the SP, {[TILVec'PLAIN TEXT EC *Skey EC (RN SP . EC *STD EC *AI EC *TA)]*DS EC . Privatt . Ke ,*[TID SP . 
M * PLAIN TEXT M *Skey M (RN SP . M *STD M *AI M *TA)]}*DS M . PriV4te . Ke> .. Figure 9 depicts the final 
format of the transaction request message. 

20 When the SP receives the transaction request message, the SP first checks 306 the two 

transaction identification numbers, i.e., TID SP . EC and TID SP . M , sent by the EC and the merchant 
and makes sure they are valid. When either TID SP . M (of 210) or TID SP . EC (of 1 86) is found invalid 
306, then the message is rejected 308. If the transaction identification numbers are both valid, 
then the SP proceeds to separate the DS M . Prjvale . Key from the data portion of the message and feeds 

25 the data portion of the message, {[TID SP . EC * PLAIN TEXT EC * Skey EC (RN SP . 
EC *STD EC *AI EC *TA)]*DS EC .p ri va le .Kc y *[TID SP . M *PLAIN TEXT M *Skey M (RN SP . 

M *STD M *AI M *TA)]} into a one-way hash algorithm to calculate the message digest MD A M of 
this message. The SP separates the data portion of the message, i.e., TID SP . M , PLAIN 
TEXT M ,CRYPTO M , DS M . Pnval , Key , (TID SI , EC *PLAIN TEXT EC * CRYPTO EC ) *DS EC . Privaie . Key . The 

30 SP decrypts 310 the DS M . Privale . Kcy using the merchant's public key and compares the newly 
recovered message digest MD M with the message digest just calculated MD A M (from 306). If 
MD A M and MD M are not equal, the message has been corrupted and is rejected 314. If MD A M 
and MD M match, then the SP decrypts 3 1 6 the encrypted portion of the message using the session 
key Skey M (of 2 1 0) it assigned to the merchant during the KE phase and recovers the data fields 

35 contained in the encrypted portion. The SP compares 318 the random number RN SP ^ the 
merchant sends back in the message with the message the SP sent to the merchant originally, 
RN SP . M (from 208). If the random numbers are not equal, then the merchant has failed the mutual 
authentication test and the message is rejected 320. 
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1 In addition, the SP will verify the EC's account information AI EC and the transaction data 

such as the transaction amount TA. The message is rejected 320 if the AI is no longer valid. It 
is also rejected when the TA from the EC and the TA from the merchant do not match. There 
may be other conditions for invalidating a message. If the account information AI EC and the 

5 transaction are valid, then the SP goes on to verify the EC portion of the message. 

As with the merchant's message, the SP first separates 322 the DS EC . PriV(lle . Key from the EC's 
message and feeds the data portion of the EC's message, (TID SP . EC * PLAIN TEXT EC * CRYPTO EC ) 
into a one-way hash algorithm to calculate the message digest MD A EC of the EC message. The 
SP separates the data portion of EC's transaction request, TIDsp. EC , PLAIN TEXT EC , CRYPTO EC , 

10 DS EC . Pri va.e-Key The SP decrypts 324 DSec^c-kcv using EC's public key PK EC and recovers 
MD EC . The SP compares 326 the recovered MD EC with MD A EC . If MD A EC and MD EC are not 
equal, the message has been corrupted and is rejected 328. If MD A EC and MD EC match, then the 
SP decrypts 330 the encrypted portion of the EC message using the session key Skey EC (of 1 86) 
it assigned to the EC during the KE phase and recovers the data fields contained in it. The SP 

1 5 compares 332 the random number RN SP . EC the EC sends back in the message with the random 
number RN SP . EC it sent out to the EC originally (in 1 84). If the random numbers are not equal, 
then the EC has failed the mutual authentication test and the message is rejected 334. The SP 
will verify the merchant's account information AI M and the transaction data such as the 
transaction amount TA and will reject the message when the account information is invalid or 

20 when the transaction data does not meet the SP's criterion 334. Once the integrity and 
authenticity of the overall message has been established, the SP can process the data contained 
in the message and send a response message back. The random number that is sent back in this 
message completes the mutual authentication between the SP and the merchant, and between the 
SP and the EC. After this message, no exchange of random numbers will be necessary. The SP 

25 can chooses to use the random number as the transaction identification number which the 
merchant and the EC will use in all subsequent messages that they send to the SP. 

As before, the response message contains information for both the EC and the merchant. 
To format the transaction response message for the EC, the SP generates the response data for 
the EC, Response Datas P . EC 338, and encrypts 336 it using the session key Skey EC assigned to the 

30 EC. Only sensitive data is encrypted. Non-sensitive response data is included in the plain text. 
The cryptogram CRYPTO SP . EC , i.e., E Skey . EC (Response Data SP . EC ), is combined 340 with the 
transaction identification number TID SP . EC 342 that the SP assigned to the EC (from 194) and the 
plain text that the SP has for EC 344, if any, to form the data portion of the response message for 
the EC, i.e., TID SP . EC *PLAIN TEXT SP . EC *E skey . EC (Response Data SP . EC ). The data portion of the 

35 message is fed into a hash algorithm 346 to generate a MDsp.ec which is digitally signed 348 by 
the SP using the SP's private key 350. The DSsp.,^.,^ is combined 352 with the data portion 
of the response message (from 340) to form the complete response message for the EC, [TID SP . 
EC * PLAIN TEXT SP . EC *E sltey . E c(Response Data SP . EC )J*DS SP 

-Private-Key* 
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1 To format the transaction response message for the merchant, the SP generates the response 

data for the merchant. Response Data SP _ M 356, and encrypts 354 it using the session key Skey M 
assigned to the merchant (from 210). The cryptogram CRYPTO SP . M , is combined 358 with the 
transaction identification number TED SP _ M assigned to merchant 360 (from 21 8) and the plain text 

5 PLAIN TEXT SP . M that the SP has for merchant 362, if any, to form the data portion of the 
response message for the merchant, TID SP _ M *PLAIN TEXT SP _ M *CRYPTO SP _ M . The data is then 
combined 364 with the completed response message for the EC to form the data portion of the 
response message for both the EC and the merchant, [(TID SP _ EC * PLAIN TEXT SP _ EC *E Skey . 
EC (Response Data SP . EC )]*DS SP . Privatc , Kcy *[TID SP . M * PLAIN TEXT SP . M *E Skcy . f iResponse Data SP . 

10 m)L 

The data is then fed into a hash algorithm 366 to generate a MD SP . M which is digitally signed 
368 by the SP using the SP's private key 370. The DS SP _ Privale _ Kcy is combined 372 with the data 
portion of the response message for both the EC and the merchant to form the complete response 
message for both the EC and the merchant, «{[TID SP . EC * PLAIN TEXT SP . EC *E Skcy _ EC (Response 

1 5 Data SP . EC )]*DS SP . Pri ^ lc . Kc J *[TID SP . M *PLAIN TEXT SP . M *E skcy . M (Response Data SP . M )]» DS SP . Privatc . 
Kcy . The SP then sends its response message back to the merchant. Figure 10 depicts the final 
format of the transaction response message. 

When the merchant receives the message, the merchant first checks 374 the transaction 
identification number, TID SP _ K in the message and makes sure it is valid. If the transaction 

20 identification number is invalid then the message is rejected 376. If the TID SP _ M is valid, then 
the merchant separates the DS SP . Privatc . Key which was signed by the SP from the data portion of the 
message, and then feeds the data portion of the transaction response message «{[TID SP . 
EC *PLAIN TEXT SP _ EC *E Skey _ EC (Response Data SP . EC )]*DS SP . Privatc . Key }*[TID SP . M *PLAIN TEXT SP . 
M *E Skey . M (Response Data SP .M)]» into a one-way hash algorithm producing a MD SP . M . The 

25 merchant separates the data portion of the message into different parts, TID SP . M , PLAIN 
TEXT SP . M , CRYPTCW DS SP _ Privatc . Kcy (TID SP _ EC *PLAIN TEXTs^c^RYPTOs^c^DSs^,, 
Key ) and prepares to forward SP's transaction response message to the EC. The merchant 
decrypts 378 the encrypted portion of the SP's message using the session key Skey M assigned 
by the SP during the KE phase and recovers the data fields contained within it. The merchant 

30 then uses SP's public key, PK SP (froml44), to decrypt the digital signature DSsp^^ey to 
recover MD SP _ M . The merchant compares 380 the newly hashed MD a sp _m (from 374) with the 
recovered MD SP . M If MD a sp .m and MD SP . M do not match, then the transaction response message 
has been corrupted and is therefore rejected 382. If the message digests match, then the 
merchant starts processing the message. As usual, the EC portion of the transaction response 

35 message (TID SP _ EC * PLAIN TEXT SP . EC *CRYPTO SP . EC *DS SP . Privalc . Key ) is passed to EC. 

When the EC receives the transaction response message, the EC first checks 394 the 
transaction identification number, TID SP . EC( in the message and makes sure it is valid. If the 
transaction identification numbers is invalid, then the message is rejected 396. If the transaction 
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1 identification number is valid, then the merchant separates the DS SP _ Pnvaic _ Kcy which was signed 

by the SP. from the data portion of the transaction response message, and then feeds the data 
portion of the EC transaction response message TID SP . EC * PLAIN TEXT SP . EC *E Skey . EC (Response 
Data SP . EC ) into a one-way hash algorithm producing MD A SP . EC The EC separates the message 

5 into different parts, TID SP . EC , PLAINT SP . EC , CRYPTO SP . EC , DS SP . Privatc . Key . The EC decrypts 398 
the encrypted portion of SP's message using the session key Skey assigned by the SP during the 
KE phase and recovers the data fields contained within it. The EC uses SP's public key (from 
120) to decrypt the digital signature DS SP . Private . Kcy and recovers the message digest MD SP . EC . The 
merchant compares 400 the newly hashed MD A SP . EC 394 with the recovered MD SP . EC . If MD a sp .ec 

10 and MD SP . EC do not match, then the transaction response message has been corrupted and is 
therefore rejected 402. If the message digests match, then the EC starts processing the message. 

At the end of the transaction, the EC and the merchant can, if required by the SP, send an 
acknowledgement message to the SP to signal that the response message has been correctly 
received and processed. This acknowledgement data can be included as a part of the next 

1 5 message to be sent to the SP, if there are more messages to be exchanged between the SP and the 
merchant and the EC before the transaction ends. Or the acknowledgement data can be a 
message by itself. 

To format the acknowledgement message, the EC first encrypts 404 the sensitive part of the 
acknowledgement data, Acknowledgement Data EC , 406, if any, using the session key, Skey EO 

20 thus creating Skey^Acknowledgement Data EC ). The EC combines 408 the resulting cryptogram 
with the transaction identification number TID SP . EC 410 assigned by the SP and the plain text 
PLAIN TEXT EC 412, if any. This forms the data portion of EC's acknowledgement message, 
TID SP . EC *PLAIN TEXT EC * Skey EC (Acknowledgement Data EC ). This combined data is then fed 
into a one-way hash algorithm 414 to generate the MD EC . The resulting MD EC is then digitally 

25 signed 41 6 by the EC using the EC's private key 4 1 8 to generate a DS EC . Pnvate . Key . The DS EC .p ri vate- 
Kev is combined 420 with the data portion of the message (from 408) to form the complete 
acknowledgement message for the EC, [TID SP . EC * PLAIN TEXT EC *Skey EC (Acknowledgement 
Data EC )]*DS Ec . Privale . Kcy . The acknowledgement message is then sent to the merchant. 

The merchant goes through the same steps to form his own acknowledgement message. To 

30 format the acknowledgement message, the merchant first encrypts the sensitive parts of the 
acknowledgement data, Acknowledgement Data M 386, if any using the session key Skey M 
assigned by the SP to merchant, thus creating Skey M (RN SP . M * Acknowledgement Data^. The 
merchant combines 388 the resulting cryptogram with the transaction identification number 
TID SP . M 390 assigned by the SP, and the plain text PLAIN TEXT M (from 392), if any. This forms 

35 the data portion of the merchant's acknowledgement message, TID SP . M *PLAIN TEXT M * 
Skey M (RN SP . M *Acknowledgement DataJ. This data portion is further combined 422 with the 
acknowledgement message received from the EC to form the data portion of the combined 
acknowledgement message for the SP, {[TID SP . EC * PLAIN TEXT EC *Skey EC (Acknowledgement 
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1 Data EC )]*DS EC . Pri _. Kcy }*[TID SP . M *PLAIN TEXT M *Skey M (Acknowledgement Data M )]. The 

merchant feeds the data portion of the combined acknowledgement message for the SP into a 
one-way hash algorithm to generate the message digest MD M . The resulting MD M is then 
digitally signed by the merchant using the merchant's private key 428 to generate DS M . PrivalB . Key 
5 426. The DS^^c, is combined 430 with the data portion of the message (from 422) to form 
the final combined acknowledgement message of the EC and the merchant designated for the SP, 
«{ [TID S p. EC * PLAIN TEXT EC *Skey EC (Acknowledgement Data EC )]*DS EC . Pfivate . Key } * [TID S p. 
M * PLAIN TEXT M *Ske yM (Acknowledgement Data M )]»*DS M . Prjv111e .K ey - This message is then sent 
to the SP. Figure 1 1 depicts the final format of the transaction acknowledgement message. 
1 0 TID SP . M is the transaction identification number assigned by the SP to the merchant (from 

21 8) and TID SP . EC is the transaction identification number assigned by the SP to the EC (from 
194). Upon receiving the transaction acknowledgement message, the SP checks 432 the two 
transaction identification numbers, TID SP . M and TID SP . EC> sent by the EC and the merchant and 
makes sure they are valid. When either TID SP . M or TID SP . EC is found invalid, then the message 
1 5 is rejected 434. If the transaction identification numbers are both valid, then the SP proceeds to 
separate the DS M . Prjvllle . Kcy from the combined acknowledgement message and feeds the data 
portion of the combined acknowledgement message <<{[TID SP . EC * PLAIN 
TEXT EC *Skey EC (Acknowledgement Data EC )]*DS EC . Privllte . Key }*[TID SP . M *PLAIN 
TEXT M *Skey M ( Acknowledgement DataM)]» into a one-way hash algorithm to calculate the 
20 message digest MD A M of this message. The SP separates the data portion of the message, TID SP . 
M , PLAIN TEXT M , CRYPTO M , DS M . Privale . Key , (TID SP . EC * PLAIN TEXT EC *CRYPTO EC )*DS EC . 
Private-Key The SP decrypts 436 the DS M . Privale . Key using the merchant's public key PK M and 
compares the recovered message digest MD M 432 with the message digest just calculated MD A M 
436. If MD A M and MD M are not equal, then the message has been corrupted and is rejected 440. 
25 If MD A M and MD M match, then the SP decrypts 442 the encrypted portion of the merchant's 
acknowledgement message using the session key Skey M (from 210) that it assigned to the 
merchant during the KE phase and recovers the acknowledgement data contained within it. 

The SP separates 444 the DS EC . Priva , e . Key from the EC's acknowledgement message and feeds 
the data portion of the EC's acknowledgement message, TID SP . EC * PLAIN TEXT EC *CRYPTO EC , 
30 into a one-way hash algorithm to calculate the message digest MD A EC of this message. The SP 
separates the data portion of the EC's acknowledgement message, TID SP . EO PLAIN TEXT EC , 
CRYPTO EC , DS EC _ PrivIltt . Key . The SP decrypts 446 the DS EC . Privale . Key using the EC's public key 
PKec and compares 448 the recovered MD EC with the message digest just calculated MD A EC 444. 
If the message digests are not equal, then the message has been corrupted and is rejected 450. 
3 5 If MDV and MD^ match, then the SP decrypts 452 the encrypted portion of the message using 
the session key Skey EC (from 186) that it assigned to the EC during the KE phase and recovers 
the acknowledgement data contained within it. This completes the processing of the transaction 
phase of the transaction 454. 



-25- 



JSDOCID: <WO 8957835A1J_> 



WO 99/57835 



PCT/US99/09938 



1 Throughout the transaction, in a preferred embodiment, the EC works with interface 

software provided by Internet browser software such as the Microsoft Explorer or Netscape 
Navigator. In a typical session, the cardholder points his browser to the merchant's URL and 
orders goods or services from the merchant. At the time of payment, the browser will invoke the 

5 EC interface software, which can be built into the browser or included as a plug-in or add-on 
software component, and allow the transaction to proceed. The cardholder can point his browser 
to the URL of any SP member. 

The two-phased transaction described in figure 6A-6Q above is just a specific case of 
applying the two-phased key-exchange-transaction model. In the two-phased transaction 

1 0 described in figures 6A-6Q, the number of parties involved in the transaction is three: the EC, 
the merchant and the SP. The two-phased key-exchange-transaction model is similarly 
applicable to cases where the number of parties involved varies from two to many. In a 
transaction that involves more than three parties, there is only one party that plays the role of the 
SP. All other parties use the public key of the selected SP to perform the initial key exchange 

1 5 and use session keys and transaction Ids assigned by the SP to carry out the transaction. 

The two-phased key-exchange-transaction model is applicable to organization schemes 
wherein: (1) the participants can be arranged with possible routers in series with the service 
provider; or (2) the participants can be arranged with possible routers in a hierarchical 
organization. These additional organization schemes may involve routers, which route messages 

20 to the next level. A level of a hierarchy may be composed of any number of participants and/or 
routers. The next level is the next participant or router that is next in the sequence or hierarchy. 
In a hierarchical organization scheme, the next level includes all possible next participants and 
routers. For the hierarchical organization scheme, the SP establishes the criterion for 
determining the next participant or router to which a message is sent. 

25 A router is a gateway/conduit, which collects the messages from a previous level and 

performs some processing on the messages according to an SP's requirements such as combining 
them, and then forwards the messages to the SP. Each participant need only form his own 
message (data and digital signature) and send it to the next level. A participant combines all the 
messages he receives with his own message and digitally signs the combined message before 

30 sending it to next level. In the hierarchical organization's simplest form, there is only one 
message router, which collects messages from all the other participants and sends the combined 
message to the SP. 

In the series organization, an originator of a transaction is in series with routers and/or 
participants who in turn are in series with a service a service provider 60. In the preferred 
3 5 embodiment of the invention, each element shown in figure 1 2 is a participant. In an alternative 
embodiment of the invention, any intermediate element between the originator and the SP can 
be a router. 

An originator conducts a transaction with participants 1 100, 1 120, 1 140 and 1 160 and a 
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service provider that have been arranged in series as shown in Figure 1 2. This is similar to the 
three-party scenario described in figures 6A-6Q except for the fact that now there is more parties 
involved. Note participants 3,4,5,6 . . . n-2 that have been arranged in series 1 1 80. Each of the 
participants prepares his own message, incorporates it with the message he receives from a prior 
participant, if any, appends a digital signature with the message, and then sends it to the next 
participant in the line. The combined message is eventually sent to the SP and the SP forms the 
response message accordingly and sends it back through the same path the original request 
message has traveled. 

Figure 13 shows elements arranged in a hierarchical organization scheme, where each 
element. Xj jXoX ]n (n= 1, 2, 3, ...) 1200, is a participant of the transaction and not a message 
router, and each element, X k Q = 2, 3, 4, k= 1, 2, 3, ...m; m is a variable of type n; m may 
be a different value for different levels of a hierarchy) 1210, can either be a participant or a 
router. The upward pointing bold arrow represents sending a request message 1220. The 
downward pointing arrow represents sending a response message 1230. 

Each participant collects messages from a number of participants he is responsible for and, 
after combining the messages with his own and forming a new message, sends the new message 
to the next level. A hierarchical organization scheme may include only one participant to as 
many as is required (The most regressive case of the hierarchical scheme is one participant and 
one service provider). Eventually, at the last element before the service provider, X 0 ,, where o 
is of type n, all messages are combined into one message 1240, which is then sent to the SP 60. 
Again, the SP forms the response message and sends it back through the same route. 

In the case when the SP is not directing the transaction, the members are conducting the 
transaction among themselves using the session key generated by the SP. A transaction can 
occur between two or more members. When there are more than two members involved in the 
transaction, the messages can flow from member to member in any order. A member sends a 
transaction request message and receives a transaction response message. A member does not 
necessarily have to receive a transaction response message from the same member that he sent 
the transaction request message. For example, three members in a transaction can be organized 
in a ring and send messages around the ring. A first member can send a transaction request 
message to a second member who in turn sends a transaction request message and a transaction 
response message to third member. The third member sends a transaction request message and 
a transaction response message to the first member, and the first member sends a transaction 
response message to a second member. A member receiving a transaction request message 
creates a transaction response message, which eventually will be sent to the member who sent 
the transaction request message. 

During the key exchange phase, the SP obtains the public keys of all the transaction 
participating members. The SP sends to each participating member, the other members' public 
keys prior to the participating members conducting a transaction among them. The transaction 



-27- 



©957B35A1_»_> 



WO 99/57835 



PCT/US99/09938 



1 request messages and the transaction response message include plain text, if any, a cryptogram, 

and a digital signature of the sending party. 

In the case when the SP needs to act as the surrogate-certificate for the EC and/or the 

merchant in order to deal with a certificate-based external system, the SP shields the EC and/or 
5 the merchant from the operation of the external interface. The SP only returns to the EC and/or 

the merchant, the information needed to complete the transaction with the EC and/or the 

merchant. 

While there have been described herein what are considered to be preferred and exemplary 
embodiments of the present invention, other modifications of the invention shall be apparent to 

1 0 those with ordinary skill in the art. Therefore, it is desired to be secured in the appended claims 
all such modifications and extensions as fall with within the true spirit and scope of the 
invention. The invention is to be construed as including all embodiments thereof that fall within 
the scope of the appended claims and the invention should only be limited by the appended 
claims below. In addition, one with ordinary skill in the art will readily appreciate that other 

1 5 applications may be substituted for those set forth herein without departing from the spirit and 
scope of the present invention. 
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10 



20 



CLAIMS: 

1 A system for electronic transactions comprising: 
an electronic card having, 

a cryptographic service for encryption and decryption, 

a data area for storing information, and 

a data area for storing cardholder with the service provider member terminal; 
a service provider member terminal responsive to the electronic card; and 

a service provider terminal in communication service provider information. 

2. The system of claim 1 wherein the electronic card is a physical card. 

3. The system of claim 1 further comprising software having the electronic card. 



4. The system of claim 1 wherein the electronic card further comprises a card operating 
15 system for loading and updating cardholder information, changing a PIN, and managing the 

service provider data area. 

5. The system of claim 1 wherein the electronic card performs external communication 
read/write operations, and communication protocol handling. 



6. The system of claim 1 wherein the electronic card further comprises software to manage 
the electronic card. 



7. The system of claim 1 wherein the data area for storing service provider information 
25 comprises a service provider record comprising: 
a name field indicating the service provider; 
a key value; and 

an account information field containing information unique to each service provider. 
30 8. The system of claim 1 wherein the electronic card further comprises application software. 

9. The system of claim 1 wherein the electronic card further comprises applets. 

1 0. The system of claim 1 further comprising an external system wherein the service provider 
35 terminal communicates with the external system. 

1 1 . The system of claim 7 wherein each service provider.record further comprises a card type 
field specifying the type of instrument a service provider supports. 
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1 1 2. A method of conducting an electronic transaction using an electronic card comprising the 

steps of: 

generating a session key at the service provider; 

exchanging keys by sending a key from a member to a service provider and sending a session 
5 key from the service provider to the member; and 

using the session key to conduct a transaction. 

13. The method of claim 12 wherein the step of exchanging keys comprises the steps of: 
sending a key exchange request message from a member to a service provider; and 

1 0 formatting a key exchange response including the session key for a member and sending the 

key exchange response to a member. 

14. The method of claim 12 wherein the step of using a session key to conduct a transaction 
comprises the steps of: 

1 5 formatting a member transaction request message using the session key and sending it to the 

service provider; and 

formatting at the service provider, a transaction response message for the member and 
sending the transaction response message to the member. 

20 15. The method of claim 12 wherein the step of using a session key to conduct a transaction 

comprises the steps of: 

formatting by a first member, using the session key, a transaction request message, the 
transaction request message including a digital signature of the first member, and sending the 
transaction request message to a second member; and 
25 formatting by a second member, using the session key, a transaction response message, the 

transaction response message including a digital signature of the second member, and sending 
the transaction response message to the first member. 

1 6. The method of claim 1 2 wherein the step of using a session key to conduct a transaction 

30 comprises the steps of: 

formatting by a first member, using the session key, a transaction request message, the 
transaction request message including a digital signature of the first member, and sending the 
transaction request message to an intermediate member; and 

formatting by an intermediate member, using the session key, a transaction response 
35 message, the transaction response message including a digital signature of the intermediate 
member, and sending the transaction response message to a final member; 

formatting by a final member, using the session key, a transaction response message, the 
transaction response message including a digital signature of the final member, and sending the 
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1 transaction response message to the first member. 

17. The method of claim 12 wherein the step of exchanging keys comprises the steps of: 
sending a key exchange request message from the electronic card to a merchant terminal; 

5 combining at the merchant terminal, a merchant key exchange request message with the 

electronic card's key exchange request message and sending the combined key exchange request 

message to a service provider; 

formatting a key exchange response including the session key for the merchant terminal, 

formatting a key exchange response including the session key for the electronic card, combining 
1 0 the key exchange responses into a combined key exchange response and sending the combined 

key exchange response to the merchant terminal; and 

separating at the merchant terminal, the key exchange response for the merchant from the key 

exchange response for the electronic card system, and forwarding the key exchange response for 

the electronic card to the electronic card. 

15 

18. The method of claim 12 wherein the step of using a session key to conduct a transaction 
comprises the steps of: 

formatting the electronic card's transaction request message using the session key and 
sending it to the merchant terminal; 
20 formatting at the merchant's terminal, using the session key, the merchant transaction request 

message combining the received transaction request message with the merchant transaction 
request message and sending the combined transaction request message to the service provider; 

formatting by the service provider, using the session key, a transaction response message for 
the merchant, a transaction response message for the electronic card system, and combining the 
25 transaction response messages into a combined transaction response message and sending the 
combined transaction response message to the merchant terminal; and 

separating at the merchant terminal, the transaction response message for the merchant from 
the transaction response message for the electronic card, and forwarding the transaction response 
message for the electronic card system to the electronic card. 

30 

19. The method of claim 12 wherein when the service provider is directing the transaction, 
only the service provider can read sensitive transaction data within a message sent from a 
member. 

35 20. The method of claim 12 wherein when the service provider is not directing the 

transaction, only the service provider can read sensitive transaction data within a message sent 
from a member during the key exchange phase. 
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1 21. The method of claim 13 wherein the key exchange response further comprises public 

keys for every member involved in a transaction. 

22. The method of claim 13 wherein a key exchange request message includes a member 
5 generated random number within the encrypted part of the key exchange message. 

23. The method of claim 13 wherein a key exchange request message includes a member 
generated digital signature. 

10 24. The method of claim 13 wherein a key exchange request message from a member 

includes a cryptogram comprising: 

a random number of the member; and 
sensitive data of the member. 

1 5 25. The method of claim 14 wherein a transaction message includes a random number within 

the encrypted part of the transaction message. 

26. The method of claim 14 wherein a transaction message includes a digital signature of a 
sending party. 

20 

27. The method of claim 14 wherein only the service provider can read sensitive transaction 
data within a transaction message. 

28. The method of claim 14 further comprising the steps of: 

25 formatting at the member, using the session key, a transaction Acknowledgement message 

and sending the transaction Acknowledgement message to the service provider. 

29. The method of claim 1 8 further comprising the steps of: 

formatting at the electronic card, using the session key, a transaction Acknowledgement 
30 message and sending the transaction Acknowledgement message to the merchant; and 

formatting at the merchant's terminal, using the session key, the merchant transaction 
Acknowledgement message, combining the received transaction Acknowledgement message 
with the merchant transaction Acknowledgement message and sending the combined transaction 
Acknowledgement message to the service provider. 

35 

30. The method of claim 24 wherein the key exchange request message further comprises 
plain text. 
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1 31. The method of claim 24 wherein the key exchange request message further includes a 

digital signature of a member. 

32. The method of claim 24 wherein the cryptogram further comprises a public key of the 
5 member. 

33. The method of claim 25 wherein a transaction message includes a digital signature of a 
sending party. 

10 34. A method of sending a key exchange message comprising the steps of: 

satisfying electronic card access conditions by an electronic cardholder; 
selecting a service provider by the electronic cardholder; 
generating an electronic card random number by the electronic card; 

encrypting by the electronic card with a service provider's public key, a random number, an 
15 electronic card public key, and electronic card sensitive transaction data to form an electronic 
card cryptogram: 

combining by the electronic card the electronic card cryptogram with plain text, if any, to 
form an electronic card combination message; 

applying a hashing algorithm to the electronic card combination message to form an electronic 

20 card message digest; 

digitally signing by the electronic card, the electronic card message digest using the 
electronic card private key to form an electronic card digitally signed message; 

combining by the electronic card, the electronic card combination message with the 
electronic card digitally signed message to form a key exchange message from the electronic 
25 card; and 

sending the electronic card key exchange message from the electronic card to a merchant 
through a network. 

35. The method of claim 34 further comprising the steps of: 
30 generating a merchant random number by a merchant device; 

encrypting by the merchant device with a service provider's (SP's) public key, a merchant 
random number, a merchant public key, and merchant sensitive data to form a merchant 
cryptogram; 

combining by the merchant device, the merchant cryptogram with plain text, if any, to form 
35 a merchant combination message; 

combining by the merchant device the electronic card (EC) key exchange message with the 
merchant combination message to form an EC-merchant combination message; 

applying a hashing algorithm to the EC-merchant combination message to form a merchant 
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1 message digest; 

digitally signing by the merchant device, the merchant message digest using the merchant's 
private key to form a merchant digitally signed message; 

combining by the merchant, the EC-merchant combination message with the merchant 
5 digitally signed message to form a merchant key exchange request message from the merchant; 

and 

sending the merchant key exchange request message from the merchant to a service provider 
through a network. 

10 36. A key exchange request message comprising: 

electronic card plain text; 

electronic card cryptogram, encrypted with a service provider public key, comprising an 
electronic card random number, an electronic card public key, and electronic card sensitive 
transaction data; 

1 5 an electronic card digital signature of the electronic card plain text and the electronic card 

cryptogram; 

merchant plain text; 

merchant cryptogram, encrypted with the service provider public key, of a merchant random 
number, a merchant public key, and merchant sensitive transaction data; and 
20 a merchant digital signature of the merchant plain text and the merchant cryptogram. 

37. A key exchange response message comprising: 
service provider (SP) plain text for the electronic card (EC); 
SP transaction identification number for the EC; 

25 SP cryptogram for the EC, encrypted with the EC public key, of the EC random number, an 

SP random number for the EC, a session key, and SP sensitive transaction data for the EC; 

an SP digital signature of the SP plain text for the EC, the SP transaction identification 
number for the EC; and the SP cryptogram for the EC; 
SP plain text for the merchant; 
30 SP transaction identification number for the merchant; 

SP cryptogram for the merchant encrypted with the merchant public key, of the merchant 
random number, an SP random number for the merchant, a session key, and SP sensitive 
transaction data for the merchant; and 

an SP digital signature of the SP plain text for the merchant, the SP transaction identification 
35 number for the merchant; and the SP cryptogram for the merchant. 

38. A method of conducting an electronic transaction among multiple parties arranged in 
series comprising the steps of: 
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sending a key exchange request message from an electronic card to a first party where the 
first party is a message router or participant; 

sending the key exchange request message from the first party to a next party if the first party 

is a router; 

combining a first party's key exchange request message with the electronic card's key exchange 
request message and sending the combined key exchange request message to a next party if the 

first party is a participant; 

sending the key exchange request message to a next party if the current party is a message 

router; 

combining a current party's key exchange request message with a last party's key exchange 
request message and sending the combined key exchange request message to a next party, if the 
current party is a participant; 

formatting, by the service provider, into one message, a key exchange response for each 
participant and sending the message in reverse order of the path for sending the key exchange 
request message to the service provider; and 

separating, by every participant, the key exchange response for itself from the key exchange 
responses for the other participants, and forwarding the remaining key exchange responses to the 
other participants in reverse order of the path for sending the key exchange request message to 
the service provider, until the electronic card receives its key exchange response. 

39. A method of conducting an electronic transaction among multiple parties arranged in 

series comprising the steps of: 

sending a transaction request message from an electronic card to a first party where the first 

party is a message router or participant; 

sending the transaction request message from the first party to a next party if the first party 

is a router; 

combining a first party's transaction request message with the electronic card's transaction 
request message and sending the combined transaction request message to a next party if the first 
party is a participant; 

sending the transaction request message to a next party if the current party is a message 
router; 

combining a current party's transaction request message with a last party's transaction 
request message and sending the combined transaction request message to a next party, if the 

current party is a participant; 

formatting, bv the service provider, into one message, a transaction response for each 
participant and sending the message in reverse order of the path for sending the transaction 
request message to the service provider; and 

separating, by every participant, the transaction response for itself from the transaction 
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1 responses for the other participants, and forwarding the remaining transaction responses to the 

other participants in reverse order of the path for sending the transaction request message to the 
service provider, until the electronic card receives its transaction response. 

5 40. A method of conducting an electronic transaction among multiple parties arranged in a 

hierarchical organization comprising the steps of: 

sending a key exchange request message from an electronic card to a first party where the 
first party is a message router or participant; 

sending the key exchange request message to a next party X jk (j = 2, 3, 4, ...; k = 1, 2, 3, 
10 ...m; m is a variable of type n; n= 1, 2, 3, m can be different values for different values of 
j) if the first party is a message router; 

combining a first party's key exchange request message with the electronic card's key 
exchange request message and sending the combined key exchange request message to a next 
party X jik if the first party is a participant; 
1 5 sending the key exchange request message to the next party X jk if a current party X jk is a 

message router; 

combining a cun-ent party X jik 's key exchange request message with the last party's key 

exchange request message and sending the combined key exchange request message to the next 

party X jk , if the current party X jfk is a participant; 
20 formatting, by the service provider, into one message, a key exchange response for each 

participant and sending the message in reverse order of the path for sending the key exchange 

request message to the service provider; and 

separating, by every participant, the key exchange response for itself from the key exchange 

responses for the other participants, and forwarding the remaining key exchange responses to the 
25 other participants in reverse order of the path for sending the key exchange request message to 

the service provider, until the electronic card receives its key exchange response. 

41. A method of conducting an electronic transaction among multiple parties arranged in a 
hierarchical organization comprising the steps of: 
30 sending a transaction request message from an electronic card to a first party where the first 

party is a message router or participant; 

sending the transaction request message to a next party X jk (j = 2, 3, 4, . . . ; k = 1 , 2, 3, . . .m; 
m is a variable of type n; n= 1 , 2, 3, . . . ; m can be different values for different values of j) if the 

first party is a message router; 
35 combining a first party's transaction request message with the electronic card's transaction 

request message and sending the combined transaction request message to a next party X j k if the 
first party is a participant; 

sending the transaction request message to the next party X jik if a current party X jk is a 
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message router; 

combining a current party X j>k 's transaction request message with the last party's transaction 
request message and sending the combined transaction request message to the next party X j>k , if 
the current party X; k is a participant; 

formatting, by the service provider, into one message, a transaction response for each 
participant and sending the message in reverse order of the path for sending the transaction 
request message to the service provider; and 

separating, by every participant, the transaction response for itself from the transaction 
responses for the other participants, and forwarding the remaining transaction responses to the 
other participants in reverse order of the path for sending the transaction request message to the 
service provider, until the electronic card receives its transaction response. 
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TID S p. E c*PLAINTEXT S p. E c*E E c.PK(RNsp-EC*RNEc*Skey E c*STD S p. E c) 



196 



SERVICE PROVIDER HASHES AND PRODUCES A MESSAGE DIGEST:H[TIDsp-ec 
♦PLAIN TEXTs p.EC*E E c.PK(RNsp.EC*RNEC*Skey EC *STDsp.Ec)3=MDsp.EC 

i ~ 



19S 



READ SP'S 
Private Key 



USE SERVICE PROVIDER'S DIGITAL SIGNATURE 
GENERATOR : Esp-p r jvat e .K e y(MD S p. E c)=DS S p -Private-Key 



202 



200 



SERVICE PROVIDER COMBINES : 
[TID S p. E c*PLAINTEXTsp.Ec*EEc.PK(RNsp. E c*RNEc*Skey E c*STD E c)]*DS S p 

-Private-Key 



TV 



204 



TO STEP 222 FIG. 6F 



r 



208 



FROMSTEP 



178 FIG. 6D 



RANDOM NUMBER GENERATOR 
SP GENERATES RN TO M: RN SP . M 



MERCHANT'S RANDOM 
NUMBER (SEE 148) DECRYPTED 
BY SP (SEE170): RN M 



212 



210 



SP GENERATES ONE SESSION 
KEY FOR MERCHANT : Skey M 



SP'S SENSITIVE 
TRANSACTION DATA 
TO MERCHANT: STD SP . M 



TO STEP 206 FIG. 6F 



214 



JSDOCID: <WO 89S7635A1_L> 



WO 99/57835 



11/29 



PCT/US99/09938 



FIG. 6F 

FROM STEPS 208,210, 212,214 FIG 6E 

1 



r 



206 



SP ENCIPHIER: USE MERCHANT'S PUBLIC KEY 
E M .pK(RNsp-M*RNM*Skey M *STD S p. M ) 



SP assigns a Transaction 
Identification Number to merchant: 
TID SP . M =Transaction ID SP . M 



218 



SP'S PLAIN TEXT TO MERCHANT: 
PLAIN TEXT SP . M 



220 



SERVICE PROVIDER COMBINES PLAIN TEXT AND CRYPTOGRAM : 
TIDsp.M*PLAINTEXT S p.M*EM-P K (RN S p.M*RN M *Skey M *STD S p. M ) 


FRC 


)MSTEP 204 FIG. 6E 
r y 


( — - 216 

* 


SERVICE PROVIDER COMBI 
*E E c-pk*(RN S p-ec*RNec*S] 
*[TID sp _m* PLAIN TEXT sp .m*E 


NES: [TID SP . EC *PLAIN TEXTsp.ec 

EC * STD SP . EC )] * DS S p. Pf jvate-Key 

M-PK(RN S P-M*RN M *Skey M *STD SP . M )] 



222 



SP HASHES AND PRODUCES A MESSAGE DIGEST : 
H{[TIDsp.EC*PLAINTEXTsp.Ec*E E c.PK(RNsp.EC*RNEc*Skey E c*STD EC )] 

*DS S p -Private-Key 

*[TID SP _ M *PLAIN TEXTsp.m 
*E M .pK(RNsp-M*RN M *Skey M *STD S p. M )]}=MD S p. M 









r ( 224 


READ SP 
Private Key 


— ► 


USE SERVICE 
GENERATOR: 


PROVIDER'S DIGITAL SIGNATURE 

EsP-Private-Key(MD S p_ M )=DS S p_p rivate . Key 



228 



226 



SERVICE PROVIDER COMBINES: 
«{[TID S p. E c*PLAINTEXTsp.Ec*(E E c.PK*RNsp-EC*RN E c*Skey E c*STD S p. EC )] 

*DS S P.Priva«e-Key} *[TID SP .M*PLAIN TEXT SP . M 

*E M .pK(RN S p.M*RN M *Skey M *STD S p. M )]»DS S p 

-Private-Key 

=[(TID S p. E c*PLAINTEXTsp.p r ivate-Kcy*CRYPTOsp. E c)*DS S p. Private . Key 
*(TIDsp-m*PLAIN TEXTsp.m*CRYPTO SP -m )]*DS S p. Privale . Key 



230 



TO STEP 232 FIG. 6G 



JSDOCID: <WO 9957835A1_I_> 



WO 99/57835 



12/29 



PCT/US99/09938 



[ 



SECOND PARTY 
COMPUTER UNIT 
(SERVICE PROVIDER) 



FIG. 6G 

FROM STEP 230 FIG. 6F 




FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 




Step 3 in FIG. 2 



(J) Merchant separates the DS S p-p r ivate-Key (2) Merchant hashes the data portion of 
the SP's KE response message: H[(TID SP . EC *PLAIN TEXT S p. EC *CRYPTO S p. E c) 
*DS S p.p ri v a , e -Key*(TIDsp- M *PLAINTEXTsp.M*CRYPTO S p. M )]=MD A M 

(3) Merchant separates the data portion of the SP's KE response message: 

TID S p.M, PLAIN TEXT sp .m> CRYPTO S p-m, 
[(TIDsp. E c*PLAIN TEXT S P.EC*CRYPTO S p. EC )]*DS S p 

-Privale-Key 

(4) Merchant verifies: Dsp-Pubr, c -Kcy(DS S p.private-Key)=MD M (Refer to FIG. 5) 




MERCHANT DECIPHIER: D M erchant-Private-Key(CRYPTO S p. M ) 
=D Mer cha n t.PrWate-Key[EMercha n t.Public-Key(RNsP-M*RN M *SkeyM*STDsp.M)] 

Recover RN M , Is RN M identical with RN M in step 148 FIG. 6B? If yes, then 
(1) Merchant forwards SP's KE response message to EC: 
(TID SP . EC *PLAIN TEXT S p.EC*CRYPTO S p.EC* DSsP-Private-key) to step 260 FIG. 6H 
(2) Merchant prepares transaction phase of the transaction to step 244 FIG. 6 H 




START OF MERCHANT'S 
TRANSACTION PHASE 



TO STEP 260 FIG. 6H 



TO STEP 244 FIG. 6H 



WO 99/57835 



PCT/US99/09938 



13/29 



246 



FIG. 6H 

FROMSTEP240 FIG. 6G 



Random Number SP (see 208) sent 
to Merchant (see 238): RN SP _ M 



Merchant's sensitive transaction 
data to SP: STD M 



250 



y 248 



MERCHANT'S ACCOUNT 
INFORMATION: AI M 



TARNSACTION 
AMOUNT: TA 



252 



MERCHANT'S ENCIPHIRS: USE SP'S SESSION KEY FOR MERCHANT: 
Skey M (RN S p. M *STD M *AI M *TA)=CRYPTO M 



244 



Transaction Identification Number SP (see 218) 
assigned to merchant (see 232): TID S p.m 

t 256 i 



Merchant's plain Text 
to SP: PLAIN TEXT, 



258 



MERCHANT COMBINES: 
TID SP . M *PLAIN TEXT M *CRYPTO M 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



7ZT 



254 



TO STEP296 FIG. 6 J 



ELECTRONIC CARD 
COMPUTER UNIT 
(ORIGINATOR) 



FROM STEP240 FIG. 6G 




Step 4 in FIG. 2 



(1) EC separates the DSsp.pnvate-Key, and hashes the data portion of the message: 

H(TIDsp-EC*PLAINTEXT S p. EC *CRYPTO S p. EC )=MD A S p. EC 

(2) EC separates: TID SP . EC , PLAIN TEXT SP . EC , CRYPTO S p. E c, DS SP .p riva!e . key 
(3) EC verifies: D S p- pU biic-Key (DSs P .p r iva te .Key)=MD S p. EC (Refer to FIG.5) 




TO STEP266 FIG. 61 



YES 



JSDOCID: <WO 9957835A1 I > 



WO 99/57835 PCT/US99/09938 

14/29 



266 



FIG. 61 
FROMSTEP262 FIG. 6H 
I 



EC'S DECIPHIER: D EC . Privale . Kcy (CRYPTO SP . EC )=D 

EC-Privatc-Key 

[ E EC-Pubiic-Kc y ( KN SP-EC* KN EC* Ske yEC*STD S p. E c)]; And recovers RN EC 




270 



REJECTED 



274 



YES 



RANDOM NUMBER SP (see 184) 
SENT TO EC (see 266): RN SP _ EC 



SENSITIVE TRANSACTION 
DATA EC TO SP: STD EC 



278 



TART OF EC'S TRANSACTION PHASE 



EC'S ACCOUNT INFORMATION:AI EC 



276 



TRANSACTION 
AMOUNT: TA 



280 



EC'S ENCIPHIR: USE SP'S SESSION KEY FOR EC: 
Skey EC (RN SP _ EC *STD EC *AI EC *TA)=CRYPTO EC 



272 



Transaction Identification Number SP (see 1 94) 
assigned to EC (see 260): TIDsp.po 



284 



EC's PLAIN TEXT: 
PLAIN TEXT Fr 

jr ( ■ 286 



EC COMBINES: TID EC *PLAIN TEXT EC *CRYPTO EC 



282 



EC HASHES AND PRODUCES A MESSAGE DIGEST: 
H[TID SP . EC * PLAIN TEXT EC * CRYPTO EC ]=MD EC 


( 288 






r 


READ EC'S 
Private Key 


-> 


USE EC'S DIGITAL SIGNATURE GENERATOR: 

EEC-Private-Key(MD EC )=DS EC _ Privatc . Key 



292 



290 



EC COMBINES: [TID SP . EC *PLAIN TEXT EC 
♦Skey EC (RN SP . EC *STD EC *AI EC *TA)]»DS EC . Private . Key 



294 



-Step 5 in FIG. 2 

TO STEP296 FIG. 6 J 



4SDOC1D: <WO .9957835A1_I_> 



WO 99/57835 PCT/US99/09938 

15/29 



ELECTRONIC CARD 
COMPUTER UNIT 
(ORIGINATOR) 



FIG. 6 J 



X 



NETWORK 



FROMSTEP294 FIG. 61 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



FROMSTEP254 FIG. 6H 



MERCHANT COMBINES: 

[TID S p. E c*PLAINTEXTEc*Skey E c(RN S p. EC *STD EC *AI EC *TA)]*DS EC .p rivate . Key 
*[TID S p.M*PLArNTEXT M *Skey M (RN S p. M *STD M *AI M *TA)] 
=(TID SP . nc *PLAIN TEXT EC *CRYPTO E c)*DS EC .p rivafe . Key 
*(TID S p. M *PLAIN TEXT M * CRYPTO m ) 



296 



MERCHANT HASHES AND PRODUCES A MESSAGE DIGEST- 

H[(TID S p. EC *PLAIN TEXT EC *CRYPTO ECP )*DS E c.p ri v ate -Key 
*(TIDsp-m*PLAIN TEXT M * CRYPTO M )]=MD M 

_. £—298 



MERCHANT'S 
Private Key 

302 



USE MERCHANT'S DIGITAL SIGNATURE 
GENERATOR: E m . Mhi ^MD m )=DS M .p riv „ e .Kc y 

(— 300 



MERCHANT COMBINES: 
{ [TIDsp. E c*PLAIN TEXT E c*Skey E c(RNsp-Ec*STD EC *AI E c*TA)]*DS E c.p r ivate Key 
*[TID SP . M *PLAIN TEXT M *Skey M (RN S p.M ,,t STD M *AlM*TA)]}*DSM-P ri va«e- K ev 
=[(TID S p_ EC *PLAIN TEXT EC *CRYPTO E c)*DS EC . Private . Key 
■>(TID S p. M *PLArN TEXT M * CRYPTO M )3*DS M .p fi v a ,e-Kc y 

£—304 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



SECOND PARTY 
COMPUTER UNIT 
(SERVICE PROVIDER) 



Step 6 in FIG. 2 




306 



(J) SP checks TID SP . M and TID S p. E c to make sure they are valid (see 218 and 1 94), 
if one of them is invalid then rejected 308. (2)SP separates DS M -p r ivate-Key 

(3) SP hashes the data portion of the transaction request message obtains MD A M . 

(4) SP separates the data portion of the transaction request message and obtains- 

TID S p. M , PLAIN TEXT M> CRYPTO M , DS M .p r iva.e-Key, 

(TID S p. E c*PLAINTEXT E c*CRYPTO E c)*DS E c.p riv a te .,c ev 

1 



308 



REJECT 



TID SP . M or TID SP . EC is invalid 



TO STEP 310 FIG. 6K 
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FIG. 6K 



FR OM STEP 306 FIG. 6J^V 




y 310 


Use PK M to verify the DS M _ Private . Kev . 


Is MD A M 


=MD M ? (Refer to FIG. 5) 


r314 v 
■ NO rnn T7H ~ — 


^312 




(1) SP separates DS EC _ Privatc .xey> hashes the data portion of EC's transaction request 
message: H(TID SP . EC *PLAIN TEXT EC *CRYPTO EC )=MD A EC 
(2) SP separates and obtains:TID SP . EC , PLAIN TEXT EC> CRYPTO EC , DS EC . Private . Kev 



/^324 



SP uses PK EC to verify DS E c.p r iv a te-Kev» Is MD A EC =MD EC ? (Refer to FIG. 5) 



328 
REJECT H" 



NO 



326 




>330 



Skey M decrypt CRYPTO EC> recovers RN SP . EC , RN SP . EC =RN SP . EC in 184 FIG. 6D? 



334 




'332 



.RNsf.pr correct? Verify A\ Fr and TA._ 



X 



END OF KE PHASE 
338 



SP's Response Data SP . EC to EC 



YES 

TO STEP 354 
FIG. 6L 



>336 



SP USES Skey EC TO ENCRYPT: E Skev . EC (Response Data SP . EC )=CRYPTO SP . EC 








Transaction Identification Number SP 
(see 194) assigned to EC: TID SP . EC 




SP'S PLAIN TEXT TO EC: 
PLAIN TEXT SP . EC 


i t— 342 




r v (— 344 


SERVICE PROVIDER COMBINES: TID SP . EC *PLAIN TEXT SP . EC 
*E Skcy . EC (Response Data SP . EC )=TID SP . EC *PLAIN TEXT SP . EC *CRYPTO SP . EC 



340 



V 



TO STEP 346 and 352 FIG. 6L 
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FIG. 6L 

FROM STEP 340 FIG. 6K. 

1 



SERVICE PROVIDER HASHES AND PRODUCES A MESSAGE DIGEST 
H[TID sp .ec*PLAIN TEXT S p.Ec*Eskey-Ec(Response Data S p.Ec)]=MD S p. E c 



READ SP'S 
Private Key 



ZT 



ZZ 



346 



USE SERVICE PROVIDER'S DIGITAL SIGNATURE 
GENERATOR : E S p.p rivate . Key (MD S p. EC )=DS S p. Pfivate . Key 



350 



ZT 



348 



SERVICE PROVIDER COMBINES : 
[TID S p.Ec*PLAINTEXT S p. E c*Es key .Ec(ResponseDatasp-Ec)]*DS S p.p rivale . Key 
= (TIP S p. E c*PLAIN TEXT S p. EC *CRYPTO SP . EC )*DS S p.p rivate . Key 



FROM STEP 332 FIG. 6K 



SP's Response Datasp. M to MERCHANT 

356 



ZT 



352 



SP USES Skey M TO ENCRYPT: Eskey-M^esponse Data S p_ M )=CRYPTO S p. M 






354 


Transaction Identification Number SP (see 
218) assigned to Merchant (see 232): TID SP . M 




SP's plain text to merchant: 
PLAIN TEXT sp .m 


^ 


£—360 

r 






SERVICE PROVIDER COMBINES : TID S p. M *PLAIN TEXT SP . M 
*E S key-M(Response Data S p. M )=TID S p.M*PLAIN TEXT SP . M *CRYPTO S p. M 



3 



358 



SERVICE PROVIDER COMBINES: 
[(TID S p. E c*PLAINTEXTsp. E c*Eske y -Ec(ResponseData S p. EC )]*DS S p.p rivate . Kcy 
*[TID S p. M *PLAIN TEXT SP . M *E Skey . M (Response Data S p. M )] 
=[(TID S p.Ec*PLAINTEXTsp-EC*CRYPTO S p. E c)*DS SP . Private . Key 
*(TID SP . M *PLAIN TEXT S p-m*CRYPTOsp.m)] 



366 



ZT 



364 



SERVICE PROVIDER HASHES AND PRODUCES A MESSAGE DIGEST 

H[(TID S p. E c*PLAINTEXT S p.EC*CRYPTOsp.Ec)*DS S p.p ri vate-Key 

*(TID S p.M*PLAINTEXT <i p. M *CRYPTO <! p.M)1=MD^ 



'SP-M 



TO STEP 368 FIG. 6M 



TO STEP 372 FIG. 6M 
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FIG. 6M 



FROM STEP 364 FIG. 6L 



FROM STEP 366 FIG. 6L 



READ SP'S 
Private Key 



USE SERVICE PROVIDER'S DIGITAL SIGNATURE 
GENERATOR : E SP _ Private . Key (MD SP . M )=DS SP 

-Private-Key 



370 



368 



SERVICE PROVIDER COMBINES: 
«{[TID S p. EC *PLAINTEXTsp-EC*E skey . EC (Response Data SP . EC )]*DS S p.p rjvate . Kej ,} 
*[TID SP . M *PLAIN TEXTsp.M*Eskey-M(Response Data SP . M )]» DS SP . Private . Key 
=[(TID SP . EC *PLAINTEXTsp.p ri vate-Key*CRYPTO S p. EC )*DS S p.p rivatc . Kev 
*(TID SP . M *PLAIN TEXT SP . M *CRYPTO SP . M )]*DS SP 

-Privatc*Kcy 



SECOND PARTY 
COMPUTER UNIT 
(SERVICE PROVIDER) 



[ 



^\ ^ Step 7 in FIG. 2 



372 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 




(1) Merchant checks TID SP . M to make sure it is valid (218 and 232), if not rejected 368. 
(2) Merchant separates i>S S p.p rivate . Kcy . (3) Merchant hashes the data portion of the 
message obtains MD A M . (4) Merchant separates the data portion of the message: 
TID SP _ M , PLAIN Tsp-m, CRYPTO SP _ M , DS SP 

-Private-Key 

Prepare to forward (TID SP . EC *PLAIN TEXT S p- E c*CRYPTO SP . EC *DS SP . Priva(e . Kcy ) 



REJECTED 
< 376 



TID SP . M is invalid 



374 



(1) Merchant use SP's session key for merchant received and decrypted 238 FIG. 6G: 
I>Skey-M(CRYPTO SP _ M )=D Skcy . M [E Skey . M (Response Data SP . M )] 
(3) Merchant use SP Publicc . Kcy to verify DS SP . Privatc . Key (Refer to FIG. 5) 
D SP-Pubiic-Ke y (DS SP _ private . Key )=MD SP . M , When MD SP . M equal to MD A SP . M then, 
send (TID SP . EC *PLArN TEXTsp.EC*CRYPTO S p. EC *DS S p. Private .| {ey ) to 394 FIG 6N 



378 



TO STEP 380 FIG. 6N 



JSOnCID: <WO 99S783SA1 I > 



WO 99/5783S 



PCT/US99/09938 



19/29 



FIG 6N 



FROM STEP 370 FIG. 6M 




Merchant's 
acknowledgement data to SP 
Acknowledgement Data M 



386 



Forward SP 'sjmessage for EC 



MERCHANT'S ENCIPHIR: USE SP'S SESSION KEY FOR MERCHANT: 
Skey M (RN SP . M * Acknowledgement Data M )=CRYPTO M 



384 



Transaction Identification Number assigned by 
SP (see 210 ) to Merchant (see 224 ): TID SP . M 



390 



Merchant's Plain Text to 
SP: PLAIN TEXT, 



M 



392 



MERCHANT COMBINES: TID SP . M *PLAIN TEXT M * CRYPTO, 



'M 



[ 



388 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



— ► TO STEP 422 FIG. 6P 

Merchant forwards SP's message ^ 
for EC; Step 8 in FIG. 2 



ELECTRONIC CARD 
COMPUTER UNIT 
(ORIGINATOR) 




in 



(J) EC checks TID SP . E cto make sure it is valid (194, 260). If not valid rejected 396. 
(2) EC separates DS S p-Private-Kcy (3) EC hashes the data portion of the message 
obtains MD A SP . EC . (4) EC separates the data portion of the message: 

TID S p, E c, PLAIN TEXTsp.EQ CRYPTO SP _ EC , DS S p.p ri vatc-Key 



REJECT 



TID SP . EC is invalid 
k^396 



I v — ■ 394 

TO STEP 398 FIG. 60 



WO 99/57835 



PCT/US99/09938 
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FIG. 60 



FROM 394 FIG. 6N 



(J) EC uses SP's session key for EC that received and decrypted in step 
266 FIG. 61: D Skey . E c(CRYPTOsp. E c )=Dske y -M [E Sk c y -Ec(Response Data S p- E c)] 

(2) EC USe Dgp.pubiic.Key tO Verify DSsp_ pr i V ate-Key 

(Refer to FIG. 5) 

Dsp-Pubiic.Key(DSsp-private-Key)=MD SP _ EC , j s MD SP . EC equal to MD A SP . EC ? 



402 



REJECT 



NO 



398 



400 




406 



EC's acknowledgement data to SP 
Acknowledgement Data Fr 



404 



YES 



EC'S ENCIPHIR: USE SP'S SESSION KEY FOR EC: 
Skey EC (Acknowledgement Data EC )=CRYPTO EC 



Transaction Identification Number assigned 
by SP (see 186) to EC (see 252) :TID SP -ec 



410 



EC'S PLAIN TEXT TO 
SP: PLAIN TEXT EC 



412 



EC COMBINES: TID SP . E c*PLAIN TEXT EC *CRYPTO EC 



408 



EC HASHES AND PRODUCES A MESSAGE DIGEST: 
H [TID SP . EC * PLAIN TEXT EC * CRYPTO EC ]=MD EC 



READ EC'S 
Private Key 

{ 418 



414 



USE EC'S DIGITAL SIGNATURE GENERATOR: 

^EC-Private-Key(MD E c) = PS EC .p rivate . Key 



416 



EC COMBINES: 

[TID SP _ E c*PLAINTEXTEc*Skey EC (Acknowledgement Data E c)]*DSEc. P ,ivate.Key 



TO STEP 422 FIG. 6P 



-Step 9 in FIG. 2 



420 



JSDOCID: <WO 9957B35A1_I_> 



WO 99/57835 PCT/US99/09938 

21/29 



ELECTRONIC CARD 
COMPUTER UNIT 
(ORIGINATOR) 



FIG. 6P 

FROM STEP 420 FIG. 60 



NETWORK7 



FROM STEP 388 FIG. 6N 



1 



MERCHANT COMBINES : 

{[TIDsp-EC*PLAINTEXT E c*Skey E c(AcknowledgementData E c)]*DS E c-p rivate . Key } 
♦[TIDsp.mTLAIN TEXT M *Skey M (Acknowledgement Data M )] 



422 



MERCHANT HASHES AND PRODUCES A MESSAGE DIGEST: 
H«{[TID SP . EC *PLAIN TEXT EC *Skey EC (Acknowledgement Data EC )] 
*DS EC .p riv a,e.Key } * [TID SP . M *PLAIN TEXT M 
* Skey M ( Acknowledgement Data M )]»=MD M 



READ MERCHANT'S 
Private Key 



424 



USE MERCHANT'S DIGITAL 
SIGNATURE GENERATOR: 

^M-Private-Key (MD M )=DS M _ Private Key 



428 



426 



MERCHANT COMBINES: 
«{[TID SP . EC *PLAIN TEXT E c*Skey EC (Acknowledgement Data EC )] 

*DS EC -Private-Key 

}*[TID SP . M *PLAIN TEXT M 
* Skey M ( Acknowledgement Data M )]»*DS M -private-Key 
= { [(TID SP . nc *PLAIN TEXT E c*CRYPTO E c)*DS EC .p ri va« e .Key] 
*(TID S p. M *PLAIN TEXT M *C RYPTO M )}*DSM.Priv a te.Kc y 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



430 



-Step 10 in FIG. 2 



[ 



SECOND PARTY 
COMPUTER UNIT 
(SERVICE PROVIDER) 



TO STEP 432 FIG. 6Q 
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FIG. 6Q 



FROM STEP 430 FIG. 6P 

1 



y 



432 



(1) SP checks TID S p-m and TIDsp-ec to make sure it is valid (see 218 and 194 ), 
if one of them is not valid then rejected 434. (2) SP separates DS M .privaie-Key 

(3) SP hashes the data portion of the message obtains MD A M . 
(4) SP separates the data portion of the message: TID S p-m> PLAIN TEXT M > 

CRYPTOm, DS M .Private-Kcy, (TID SP . E c* PLAIN TEXT EC * CRYPTOEc)*DS E c-Private-Key 


i f < ^ Either TID SP . M 


r f 436 


REJECT or ^^sp-ec * s ^ nva lid 


L~- 434 y 


SP uses PK M (see 1 50 and 1 70) to verify the decrypt DS M . Private . Key (Refer to FIG. 5). 

I ) M-Public-Key( D S M -p r ivate-Key) =MD M> Is MD M =MDA M ? 




SP uses Skey M (see 21 0) to decrypt CRYPTO M and obtains Acknowledgment Data] 



M 



444 



(1) SP separates DSnc-Private-Key* (2) hashes the data portion of EC's acknowledgement 

message: H(TID SP . EC * PLAIN TEXT EC *CRYPTO EC )=MD A EC 
(3) SP separates and obtains: TID S p. E c, PLAIN TEXT EC , CRYPTO EC , DS EC .privaie.Key 



446 



SP uses PK EC (see 126 and 176) to decrypt DS EC . Priva , e . Key (Refer to FIG. 5). 

PEC-Public.K ey (PSEC-Priv a te-Ke y ) = MP E p Is MP EC =MP. A EC ? 



y 



450 



REJECT 




L 



452 



SP uses Skey EC (see 186) to decrypt CRYPTO EC and obtains Acknowledgment Data EC 


END OF TRANSACTION PHASE ^ 


r 454 






TRANSACTION COMPLETED 





J S DOC ID: <WO 9957B35A1 J_> 



WO 99/57835 



PCT/US99/09938 



23/29 



«5 




4SDOCID: <WO 9957835A1 I > 



WO 99/57835 



PCT/US99/09938 



24/29 



S CO Bj 

Q 

22 * 
W * 



g g 2 
.2 vs i S 

S eg to "T 

8 £ S3 S3 

}2 ^ •£ Q 

§ s ip 

H -S Z 




a. >> t_> 
UP 




•c 

CO 



s 



CU 



CO 

CO 




4SDOCID: <WO 9957835A1J_> 



WO 99/57835 



PCT/US99/09938 



25/29 





•c 
a, 

a 

a 



CO 

0 




JSDOCID:<WO 9957835A1 I > 



WO 99/57835 



PCT/US99/09938 



26/29 




JSDOCIO <WO 9957B35A1_L> 



WO 99/57835 PCT/US99/09938 

27/29 




WO 99/57835 



PCT/US99/09938 



28/29 




dSDOC1D:<WO 9957835A1 I > 



WO 99/57835 



PCT/US99/09938 



29/29 

FIG. 13 



60 



SERVICE PROVIDER 



1210 





A 




1240 \ 


/ 









1200 




1220 



230 



f. 

INTERNATIONAL SEARCH REPORT 



International application No. 
PCTAJS99/09938 



A. CLASSIFICATION OK SUBJECT MATTER 
IPUM H U4 K 1/00: H 04 I. 9/00 

I IS CI *K0/30. 49 .... 
fc o..J...« in International I'aien. CI U »sil»c«lm« (IPC) or to both notional elassthcalum and II L 



I IKLUS SEARCHED 



Minimum documentation scare 
1 1 S 380/30.49 



searched (classification system followed by classification symbols) 



Documentation searched other than mm 



imum documentation to ihe extent that such documents are included in the fields searched 



Electron.* data base consulted during the tntemational search (name of data base and. where practicable, search terms used) 



C. DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 4 



Y. A 



Citation 



ol document, with indication, where appropriate, of the relevant passages 



US 5,544,246 A (MANDELBAUM et al) 06 August 1996, Figures 
2-7, col. 2, lines 9-33. 

SCHNE1ER. BRUCE. Applied Cryptography second edition. 1996, 
pgs. 43, and 51-54. 

US 5,671 ,279 A (ELGAMAL) 23 September 1997, figures 1-4, col. 
3. lines 38-42. 



Relevant to claim No. 



l-n 



12-41 



12-41 



n 


her documents are listed in the continuation of Box C. Q See patent family annex. 


" ~ -T" later document published after die international filing date or priority 

Special categoric* of cued document*. t)a|e ^ jiol m con nicl wilh the application but cited to understand 
•A" document defining U.e general .uu< of die arl wh.ch not considered .I,* prmc.ple or theory underlying d.c mvenlion 

to be uf particular relevance ^ document or particular relevance: die claimed invention cannot be 
•1* earlier document published on or after the uitertiHiiPnal uhng date considered novel or cannot be considered to involve an inventive itep 

. , when the document i* taken alone 
-I - document which may Uuow doubu on pr.or.ty cla.mtsi or which is 

cued u. eitabluh the publication date of another citation or outer m ^ m uU cuineut t ,f particular rclevmice: the claimed invention cannot be 
>pcci»t ie«*ou (h> *petifiedi considered to involve »n inventive Hep when the document is 

, , . .vh.h.iu.,. thei combined w.ih one of more other such documents, such combination 

.U.......C..I -cle »: u. ^ d,>elo>«.e. c.vl.dn.io.. ^ ^ ^ ( . (| ^ ^ 

itieiiu> 

,,,,1,1,,,,^ he •menial «l IiI'iik dme but Uiei thai. document member of the aame patent family 


Dale «>l the actual completion of the iniernational search 

Mi July iwy 


Date of mailing of the international search report 

0 9 SEP 1999 


Name and mailing address of the ISA/US 
Commissioner of Patents and Trademarks 
Box PCT 

Washington. D.C. 20231 
Facsimile No. (703) 305-3230 


Authorized officer 

DOUGLAS ME1SLAIIN AftIV*** /?• [\x(C^NlaJ> 
Telephone No. (703) 305-1^38 



loim K T'ISA '2 10 (second sheetX-luly \M2)* 

JSnnniD: <WO 9957B35A1 I > 



CORRECTED 
VERSION* 



WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 




PCT 

INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification 6 
H04K M)0, H04L 9/00 



Al 



(11) International Publication Number: WO 99/57835 

(43) International Publication Date: 1 1 November 1999 (11 .1 1.99) 



(21) International Application Number: PCT/US99/09938 

(22) International Filing Date: 5 May 1999 (05.05.99) 



(30) Priority Data: 
60/084,257 



5 May 1998 (05.05.98) 



US 



(71)(72) Applicant and Inventor: CHEN, Jay, C. [-/US]; 1335 
Blackstone Road, San Marino, CA 91 108 (US). 

(74) Agent: GELFOUND, Craig, A.; Christie, Parker & Hale, LLP, 
P.O. Box 7068, Pasadena, CA 91109-7068 (US). 



(81) Designated States: AE, AL, AM, AT. AU. AZ, BA, BB, BG, 
BR, BY, CA, CH, CN. CU, CZ. DE, DK, EE, ES, Fl, GB, 
GD, GE. GH, GM, HR, HU. ID, IL, IN, IS, JP, KE, KG, 
KP, KR, KZ, LC, LK, LR, LS. LT, LU, LV, MD. MG, MK. 
MN, MW, MX, NO, NZ t PL. PT, RO, RU, SD, SE. SG, SI, 
SK, SL, TJ, TM, TR, TT, UA t UG, US. UZ, VN. YU. ZA f 
ZW, ARIPO patent (GH, GM t KE, LS, MW, SD, SL, SZ, 
UG, ZW), Eurasian patent (AM, AZ. BY, KG, KZ, MD, 
RU, TJ, TM), European patent (AT, BE, CH, CY, DE, DK, 
ES, FI, FR, GB, GR, IE, IT, LU, MC. NL, PT, SE), OAPI 
patent (BF, BJ, CF. CG, CI, CM, GA, GN, GW. ML, MR, 
NE, SN, TD, TG). 



Published 

With international search report. 

Before the expiration of the time limit for amending the 
claims and to be republished in the event of the receipt of 
amendments. 



(54) Title: A CRYPTOGRAPHIC SYSTEM AND METHOD FOR ELECTRONIC TRANSACTIONS 



(57) Abstract 

An electronic transaction system, which facili- 
tates secure electronic transactions among multiple par- 
ties including cardholders (20), merchants (70), and ser- 
vice providers (SP) (60). The system involves elec- 
tronic cards, commonly known as smart cards, and their 
equivalent computer software package. The card mim- 
ics a real wallet and contains commonly seen finan- 
cial or non-financial instruments such as a credit card, 
checkbook, or driver's license. A transaction is pro- 
tected by a hybrid key cryptographic system and is nor- 
mally carried out on a public network such as the In- 
ternet. Digital signatures and random numbers are used 
to ensure integrity and authenticity. The card utilizes 
secret keys such as session keys assigned by service 
providers (SPs) to ensure privacy for each transaction. 
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1 A CRYPTOGRAPHIC SYSTEM AND METHOD 

FOR ELECTRONIC TRANSACTIONS 

FIELD OF THE INVENTION 
5 The present invention relates generally to a cryptographic system and method for secure 

electronic transactions, and more particularly to an electronic card, which takes the form of a 
''smart card" and/or its equivalent software. 

BACKGROUND OF THE INVENTION 

10 The generic term, "smart card," generally denotes an integrated circuit (IC) card, that is, 

a credit-card-size piece of plastic with an embedded microchip. The IC chip on a smart card 
generally, but not necessarily, consists of a microprocessor (the CPU), read-only memory 
(ROM), random access memory (RAM), an input/output unit, and some persistent memory such 
as electrically erasable programmable read-only memory (EEPROM). The chip can perform 

1 5 arithmetic computations, logic processing, data management, and data communication. 

Smart cards are mainly of two types: contact and contact-less. The International Standard 
Organization (ISO) has established specifications for such electronic cards under the ISO series. 
In particular, ISO 7816 applies to integrated circuit(s) cards. Because of its computing 
capability, a smart card can support a multitude of security features such as authentication, 

20 secured read/write, symmetric key and asymmetric key encryption/decryption. These smart card 
security features make it well suited for electronic commerce where data security and 
authenticity are of primary importance. 

Smart card use has found application in many specialized fields such as mass 
transportation, health insurance, parking, campus, gas, etc. And its potential use in electronic 

25 commerce and other financial areas are gaining popularity at a rapid pace. U.S. Pat. No. 
5,521,362, issued to Robert S. Power on May 28.1996, entitled "Electronic purse card having 
multiple storage memories to prevent fraudulent usage and method therefor," describes an 
electronic purse application. Power's invention demonstrates a smart card's capability to be used 
as a secure financial instrument and not just as a storage device. 

30 As advances in technology push smart-card chip computing to higher speeds and larger 

memory capacity, the concept of a "multi-application" smart card is increasingly becoming 
economically and physically feasible. U.S. Pat. No. 5,530,232 issued to Douglas C. Taylor on 
June 25, 1996, entitled "Multi-application data card," describes a multi-application card, which 
is capable of substituting for a plurality of existing single-application cards and satisfying both 

35 financial and non-financial requirements. The multi-application card uses a conventional data 
link to connect between the smart card and the remote service provider. Taylor's invention, the 
multi-application card, does not relate to any kind of open network or cryptographic method. 

U.S. Pat No. 5,544,246 issued to Mandelhaum et al. on" on Aug. 5, 1996, entitled "Smart 
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1 card adapted for a plurality of service providers and for remote installation of same/ 5 describes 

a smart card, which allows different service providers to coexist on the same smart card. Each 
service provider is considered a user of the smart card and is installed on the card by the 
issuer/owner of the smart card. Each user is allowed to build a tree-like file structure and protect 
5 it with a password file. Mandelbaum's invention depicts a smart card allows for the creation and 

deletion of multiple applications. Mandelbaum's smart card controls the access to each 
application by using an appropriate password file. 

U.S. Pat. No. 5,671,279 issued to Taher Elgamal on September 23, 1997, entitled 
"Electronic commerce using a secure courier system." describes a system for implementing 
1 0 electronic commerce over a public network using public/private key cryptography. The Elgamal 
patent did not mention the use of a smart card as a tool in conducting the electronic commerce 
and the participants were authenticated through the use of digital certificates. The secure courier 
system requires a secured channel such as a Secure Socket Layer (SSL) between the trading 
parties over an open network such as the Internet. 
15 1 . U.S. Pat. No. 5,790,677, issued to Fox et al. on August 4, 1998, entitled "System 

and method for secure electronic commerce transactions/' describes a system and method 
having a registration process followed by a transaction process. During the registration 
phase, each participant of a transaction registers with a trusted credential-binding server 
by sending to the server a registration packet. The server produces unique credentials 
20 based upon the request received and sends them to the request originator. During the 

transaction phase, the originator of the transaction requests, receives and verifies the 
credentials of all intended recipients of the commerce document and/or instrument and 
encrypts the document and/or instrument using the public key of the individual recipient. 
Thus, each receiving party can decrypt and access the information intended only for him. 
25 Fox's patent describes a process which reflects the theme of the so called "Secure 

Electronic Transaction" (SET) standard which is an ongoing effort supported by several 
major financial and software companies to establish a digital certificate and certificate 
authority based electronic commerce system. 

U.S. Pat. No. 5,796,840 issued to Derek L. Davis on August 1 8, 1998, entitled "Apparatus 
30 and method for providing secured communication/'describes a semiconductor device, which is 
capable of generating device-specific key pairs to be used in subsequent message authentication 
and data communication. The semiconductor device uses public/private key cryptography to 
ensure the authenticity of two communicating parties. 

U.S. Pat. No. 5,534,857 issued to Simon G. Laing and Matthew P. Bowcock on July 9, 
35 1 996, entitled "Method and System for Secure, Decentralized Personalization of Smart Cards," 
describes a method and apparatus for securely writing confidential data from an issuer to a 
customer smart card at a remote location. A mutual session key for enciphering data transfer 
between a secure terminal and a secure computer is generated by using a common key stored in 
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1 the secure computer and a retailer smart card. 

It is clear from the inventions mentioned above that the architecture of a secure electronic 
commerce system involves a public key infrastructure and digital certificate authority associated 
with it. 

5 On an open network, a secret key-based system is less flexible in terms of key distribution 

and key management, and -is more subject to malicious attack. On the other hand, a 
public/private key-based system, with all its advantages over the secret key system, has its own 
daunting task of authenticating transaction parties to one another. The current invention presents 
another system and method, which replaces the need for certificate authorities and digital 

10 certificates. The current invention is a hybrid system for electronic transactions. The hybrid 
system uses public/private keys during the key exchange phase and uses a session key as a secret 
key during the transaction phase. 

SUMMARY OF THE INVENTION 
1 5 The invention is a cryp to g ra P nic system and method for electronic transactions by using 

an electronic card (EC) in the form of a smart card or equivalent software and communicating 

over a communications network. 

The preferred embodiment of the invention uses an open network, such as the Internet. 

Alternative embodiments of the invention may use other types of networks. An embodiment of 
20 the invention may either use a physical smart card, or alternatively, a smart card, which is 

implemented as computer software package and runs on a computing device such as a personal 

computer (PC). Likewise, a merchant involved in a transaction may use a merchant device, 

which is a point-of-sale terminal, or a device, which uses software on a host computer to 

communicate with an EC and a service provider. When a smart card is used, a smart card reader 
25 is also needed to allow the card to communicate with a host device, such as a network ready 

merchant terminal, a PC, or any other electronic device, which is capable of supporting smart 

card transactions. 

In a public key and digital certificate based system, transaction participants exchange 
public information through the use of digital certificates or other electronic credentials which are 
30 issued and certified by a certificate authority (CA) or credential binding server. The 
communication between the CA or the server and each participant of the transaction must be 
secure. Random numbers and digital signatures are used to ensure the authenticity and validity 
of the messages transmitted among the participants. 

The cryptographic system and method of the preferred embodiment of the invention also 
3 5 uses public/private key cryptography, but it works in a slightly different way. The cryptographic 
system and method does not seek to create another kind of trust relationship as the one that exists 
between holders of digital certificates and the certificate authorities. It particularly targets large 
membership-based financial institutions such as a large credit card company and all its 

-3- 
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1 cardholders, or a major bank and all its ATM cardholders as its potential users. Non-financial 

institution can also use this cryptographic system and method to conduct commercial or non- 
financial transactions over a network. 

A service provider (SP) provides some service to its members. Financial institutions are 

5 just one kind of service provider. A service provider can also be non-financial in nature. 
Regardless whether a service provider is a financial institution or a non-financial institution, 
essentially the same process occurs. The only difference between a transaction involving a 
financial institution and a transaction involving a non-financial institution is that the messages 
may include different data fields. 

1 0 When an EC holder signs up with one of the service providers, the service provider creates 

a dedicated entry on the EC. Each entry contains the account information for the service 
provider, the SP's public key, access control information, and other related data. Each EC can 
support a predetermined number (e.g. ten) of such entries and each such entry is a representation 
of one service provider. 

15 By using the public/private key cryptography, the key distribution process is much 

simplified. The EC holder him/her/self or any trusted third party such as a bank branch or even 
a post office can perform the task. The SP's public key is only used for the initial key exchange 
between the SP and the cardholder. After the initial key exchange step, the SP assigns a session 
key, which protects any further message exchange between the cardholder and the SP or between 

20 the cardholders' themselves. 

This hybrid system, which uses both public key/private key cryptography and secret key 
cryptography (i.e., session key), is in contrast to other secret-key systems in that in the hybrid 
system, the secret key (i.e., session key) is valid for a single session and is not applicable to other 
sessions. A session has a determinate length of time. A session may terminate based upon a 

25 time period or upon conditions being satisfied. 

Where a merchant is involved in a transaction, the merchant goes through essentially the 
same procedures as the EC holder to communicate with the SP. The merchant will first perform 
a key exchange with the SP and receive a session key. The session key will be used by the 
merchant for subsequent communication with the SP. The cardholder and the merchant digitally 

30 sign each message going to the SP and the SP similarly signs the response message going back 
to the cardholder and the merchant. 

In the event that a transaction requires interactions with another certificate-based system, 
the SP, after authenticating the cardholder and the merchant based on further information 
exchange after the initial key exchange, can act as a surrogate-certificate for the cardholder and 

35 the merchant. In the most extreme case, the SP performs solely this surrogate function and 
becomes a gateway for the certificate-based system. This type of hierarchy is highly desirable 
since it reduces the number of trust relationships needed to carry out a transaction among 
multiple systems. In addition, it eliminates the users' need to carry certificates. 



WO 99/57835 



PCT/US99/09938 



BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram showing the relationship among the components of a 
system according to an embodiment of the invention. 

Figure 2 shows the flow of the two transaction phases via a network. 

Figure 3 is the diagrammatic representation of an EC. 

Figure 4 shows the format of the service provider data area. Each service provider's 
information is allocated an entry in the table and is protected by access conditions. 

Figure 5 shows how the digital signatures are used in an embodiment of the invention. 

Figures 6A through 6Q shows the schematic flow chart of the cryptographic system and 
method used in an embodiment of the invention in order to conduct electronic transactions via 
an open telecommunication network, such as the Internet. 

Figure 7 through Figure 1 1 depicts the final format and content of the combined request 
and response messages in the key exchange phase and the transaction phase. 

Figure 12 shows a service provider conducting a transaction with participants that have 

been arranged in series. 

Figure 1 3 shows a service provider transaction on a network with participants that have 

been arranged in a hierarchical organization scheme. 



DETAILED DESCRIPTION 

The preferred embodiment of the invention is a cryptographic system and method for 
electronic transactions by using an electronic card (EC) in the form of a smart card or 
equivalent software and communicating over a communications network. 

In the preferred embodiment of the invention, the network is an open network such as 
the Internet. In alternative embodiments of the invention, other open networks and/or closed 
networks may be used to establish communication between a service provider and its 
members. For example, a service provider may use its own proprietary financial network to 
communicate with its members. 

Any Internet protocol may be used for Internet connections. Example protocols, 
which can be used include TCP/IP, UDP, HTTP, and the like. 

Communication may also be via a communications network transport service such as 
the Public Switched Telephone Network (PSTN) usingtraditional analog telephone service 
(a.k.a. Plain Old Telephone Service or POTS), or by using a digital communication service 
such as a T-l, El or DS-3 data circuit, Integrated Services Digital Network (ISDN), Digital 
SubscriberLine (DSL) services, or even using a wireless service, and the like. When 
implemented using such a service the invention may be implemented independent of a 
communications protocol (i.e. at an electrical interface layer). 
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1 Communication may also be via a local area network (LAN) or WideArea Network 

(WAN) such as Ethernet, Token Ring, FDDI, ATM or the like. Example protocols, which 
can be used include TCP/IP, IPX, OSI, and the like. 

Other communication links might include an optical connection, a wireless RF modem 

5 connection, a cellular modem connection, a satellite connection, etc. 

The invention may be employed as long as a communication path can be established 
between a service provider and its members. The examples above are intended to illustrate 
several examples of the various communications environments in which the invention may be 
practiced. As is clear to one ordinarily skilled in the art, the invention is not limited to those 

1 0 environments detailed above. 

The EC can take the form of a smart card device or a software package running on a 
computer system such as a personal computer (PC). When the EC is implemented on a smart 
card, it can be used on a network-ready computer system such as a PC to transact with another 
member and/or a selected service provider. It will need a read/write interface device to 

1 5 communicate with a computer system and some application software such as an Internet browser 
to interface with the cardholder and the network. If the EC is a software package loaded into a 
computer system, then no read/write interface is needed. The exemplary embodiment of the 
invention is for the EC to act as an electronic wallet (or cyber wallet) which functions similar 
to real wallet. A real wallet can carry credit cards, debit cards, ATM cards, health provider 

20 cards, membership cards, cash, etc. An EC has the digital equivalent of all the above-mentioned 
financial and non-financial instruments and enables conducting secure transactions over the 
Internet. 

A service provider member can be a merchant and/or an EC cardholder. A merchant is 
a member who is paid by the service provider as a result of a transaction. A member can be both 

25 a merchant and an EC cardholder. A merchant may engage in a transaction with other 
cardholders, which results in the merchant being paid by the service provider. A merchant may 
also be an EC cardholder and purchase supplies, for example, from a merchant supplier. 

The cryptographic system may involve communication between a service provider and 
any number of service provider members. Thus, communication can be between an EC and an 

30 SP, between a merchant and an SP, between a first EC, a second EC, and an SP, between a first 
merchant, a second merchant, and an SP, etc. An EC may communicate directly with a service 
provider to inquire about an account balance for example. A merchant may communicate with 
a service provider only on his own behalf and not on behalf of an EC because, for example, the 
merchant wants to know his own account balance with the service provider. Communication 

35 between the SP and its members may follow any permutation of the SP and its members. The 
organization of the communication links between the SP and its members may be sequential 
and/or hierarchical. Communication between the SP and its members may also be via routers, 
which route the messages between the SP and its members. 
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1 The cryptographic method is a two-phased key-exchange-transaction model. The first 

phase is a key exchange phase. The second phase is the transaction phase. In the key exchange 
phase, the members exchange keys with the service provider. The members send their keys to 
the service provider and the service provider uses the keys to send a session key to the members. 

5 The session key protects any further message exchange between the cardholder and the SP or 
between the cardholders' themselves. In the transaction phase, either the SP can direct the 
transaction or the cardholders themselves may conduct the transaction. 

Figure 1 is a block diagram showing the relationship among the components of a system 
according to an exemplary embodiment of the invention involving a cardholder, a merchant, and 

10 service provider. 

An EC cardholder 20 can conduct a transaction over a network 50 and communicate with 
a merchant either by using an EC read/write device 82 attached to an originating computer 84 
or by using EC equivalent software 92 running on an originating computer unit 90. 

A merchant can conduct a transaction over a network by either using a network-ready 
1 5 point-of-sale(s) (POS) terminal 40 or by using EC equivalent software running on a merchant 
device 70 to conduct an electronic transaction with a selected service provider 60 via a network 

50 such as the Internet. 

Once the access conditions to the card have been satisfied, the cardholder can perform 
financial or non-financial transactions with other participants of the system through the network 
20 50. In Figure 1 , there are three different scenarios in which a transaction over a network can be 
conducted. 

(1) In a POS transaction (Upper left side of figure 1), the cardholder 20 swipes/inserts an 
EC through/into a merchant's EC reader/writer 30 at a merchant's premises. The EC 
reader/writer is connected to a network-ready merchant POS terminal 40. The network- 

25 ready merchant POS terminal 40 is a secure tamper-resistant programmable device 

comprising an input means such as a keyboard, a display device, a processing unit, and 
an EC read/write device 30 (an EC interface device). It is typically a small computer 
unit such as a PC equipped with a communication link to an open network. The POS 
terminal communicates to the SP via the network 50. 

30 (2) (Right side of figure 1 ) A cardholder can conduct a transaction with other participants 

of the system by inserting the EC 20 into a read/write device 82, which is connected to 
the cardholder's personal computer 84 which is the originating computer. The 
originating computer connects to a network 50 allowing the EC to communicate with 
the merchant computer unit 70. The merchant computer unit 70 has EC equivalent 

35 software 72 that enables the merchant to receive the EC generated message and 

generates a message combining EC information and merchant information. Then, the 
combined message is sent to the SP over a network. 
(3) (Bottom side of figure 1) A cardholder can conduct a transaction with other participants 
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] of the system by using EC equivalent software 92 on the customer cardholder's personal 

computer 90. The transaction begins at the originating computer unit 90, that is, the 
cardholder's personal computer. The cardholder conducts the transaction over a 
network 50 and communicates with the merchant's computer unit 70, which in turn 
5 communicates with the SP 60 over a network 50. 

While in the preferred embodiment of the invention, a personal computer is used to hold the 
EC equivalent software, in alternative embodiments of the invention other electronic devices can 
be used to hold the EC equivalent software. 

In the preferred embodiment of the invention, the network used to enable the EC to 
10 communicate with the merchant is the same network used to enable the merchant to 
communicate with the SP. In another embodiment, the network used to enable the EC to 
communicate with the merchant may not be the same network used to enable the merchant to 
communicate with the SP. In yet another embodiment, the network used to enable one merchant 
to communicate with the SP may not be the same as the network used to enable another merchant 
1 5 to communicate with the SP. In still yet another embodiment, the network used to enable an EC 
to communicate to the merchant may not be the same as the network used to enable another EC 
to communicate with another merchant. An embodiment may consist of a multiplicity of 
networks whereby different parties communicate. 

In the preferred embodiment of the invention, a transaction is broken down into two phases: 
20 a key exchange phase and a transaction phase. Figure 2 is a specific case, which illustrates the 
two-phase key-exchange-transaction model where the SP directs the transaction phase. There is 
no direct exchange of sensitive information between participants when the SP directs the 
transaction. 

The key exchange phase is the same where the transaction phase is among the cardholders 
25 themselves and where the SP directs the transaction phase. Where the transaction phase is 

among the cardholders themselves, the cardholders use the SP session key to communicate with 

each other and conduct a transaction. 

Figure 2 demonstrates a financial transaction where the SP directs the transaction phase. 

The transaction shown involves three parties: an EC (a transaction originator) 102, a merchant 
30 104, and a service provider (SP) 106. The originating party is an EC cardholder who is the 

consumer and is represented by the computer unit 102. The computer unit 104 represents the 

merchant. The computer unit 106 represents the service provider. An SP is selected by both an 

EC and merchant. 

Figure 2 demonstrates a financial transaction wherein the process flow is from an EC to a 
35 merchant to an SP. The cryptographic method's process flow is not limited to any particular 
order between merchants and EC cardholders. Figure 2 is merely an example of a particular 
transaction, which flows from EC to merchant to service provider. The process flow can also 
go from merchant to EC to service provider. Figure 2 demonstrates how service provider 
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1 members (in this case, the EC cardholder and the merchant) create, append, and send messages 

to a service provider. 

The ten arrows numbered 1 to 10 in figure 2 show how the messages flow among the three 
parties during the two transactions phases. Steps 1 through 4 belong to the key exchange phase 

5 and steps 5 through 10 belong to the transaction phase. In figure 2, the merchant serves as an 
intermediary between the EC and SP. In step 1 , the key exchange request is formatted by the EC 
and sent to merchant. In step 2, the merchant combines his own key exchange message with the 
EC's key exchange message and sends the combination key exchange message to an SP. In 
step 3. the SP formats a key exchange response for the merchant, formats a key exchange 

10 response for the EC, combines the key exchange responses to form a combined key exchange 
response and sends the combined key exchange response to the merchant. In step 4, the 
merchant separates the key exchange response for the merchant from the key exchange response 
for the EC and forwards the EC's key exchange response message back to the EC. Step 4 
concludes the main activities in the key exchange phase. 

1 5 The transaction phase begins with step 5. In step 5, the EC formats its transaction request 

message and sends it to merchant. In step 6, the merchant combines the received transaction 
request message with his own transaction request message and sends the combination transaction 
request message to the SP. In step 7, the SP formats a transaction response message for the 
merchant formats a transaction response message for the EC, combines the transaction response 

20 messages and sends the combined transaction response message back to merchant. In step 8, the 
merchant separates the transaction response message for the merchant from the transaction 
response message for the EC and forwards the EC's transaction response message back to the 
EC. In step 9, the EC formats a confirmation message and sends it to the merchant. In step 10, 
the merchant combines the received confirmation message with his own confirmation message 

25 and sends the combination confirmation message the SP. Step 10 concludes the transaction 
phase of a transaction. 

While figure 2 demonstrates a simple transaction, some transactions may involve multiple 
messages. During some transactions, more than one message may be required to complete each 
phase, in which case, those messages will follow the same rules of combination and flow pattern. 

30 For example, during the transaction phase, the SP may require that the EC and the merchant send 
over account information first. If the account information is verified to be valid, the SP sends 
confirmation of the account information in the response message. Once the merchant and the 
EC receives the response message, then the EC and the merchant send the transaction amount 
and other transaction related information in the next message going to the SP. The SP 

35 subsequently approves or disapproves the transaction. The steps in figure 2 apply to both the 
account message and the transaction message. 

If the completion of a transaction requires interaction with some external system such as 
a public key and digital certificate based system 108, the SP will act as a surrogate-certificate 
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1 for the EC and the merchant and deal with the external system on behalf of the EC and the 

merchant. A desired result of the invention is to shield all of the participants of a transaction 
from an external system and therefore reduce the number of trust relationships needed to 
complete a transaction. If a participant of a transaction has dual membership of this system and 

5 an external system, then he has a choice of either acting as a member of this system or as a 

member of an external system. In the latter case, the SP will interface with the participants using 
the rules of an external system. For example, to deal with an external public and digital 
certificate or credential based system, the SP has in its possession all of the required certificate(s) 
or credential(s) which satisfies the trust relationship demanded by the external system. Such 

10 credentials are required in order for the SP and the external system to complete the transaction 
initiated by the EC and the merchant. In this case, only the SP needs to have a trust relationship 
with the external system. Based on this trust relationship, individual ECs and merchants are able 
to complete transactions with the hypothetical external system. 

Figure 3 is a diagrammatic representation of a preferred embodiment of an EC. In a 

15 preferred embodiment of the invention, an EC is internally composed of the software/hardware 
components shown in Figure 3. The EC is ISO 7816-based and supports the same kind of 
communication protocols and commands as defined in ISO 7816. 

The EC has a card operating system 550 to manage the EC's internal resources. The on- 
card cryptographic service 650 can be implemented in software or be provided by a 

20 cryptographic co-processor (not shown in figure 3), or other hardware solutions, or a hybrid of 
software and hardware. 

One of the unique features of the EC is the service provider data area (SPDA) in the EC 
memory, which contains the service providers' account and key information. The service 
provider data area (SPDA) 700 contains a number of slots. In the preferred embodiment, the 

25 SPDA contains a pre-defined number (e.g. ten) of slots one for each potential service provider. 
In another embodiment, the number of slots may be dynamically changed. A record for each 
service provider can be placed into an empty slot. Each record contains the account number, 
public key, and other related information for a specific service provider. 

Depending on the EC design, the SPDA can optionally allow each SP to include some 

30 software (such as an "applet" in the JAVA terminology) to manage its own on-card data and 
provide an interface between the SP card data and the host application. In other words, the SPDA 
can contain more than just simple data; it can allow each SP to put a self-contained application 
program (such as an applet) on the EC to provide its own unique service to the cardholder. The 
advantage of this type of design is that the EC itself is now detached from the type of service it 

35 can provide. Each SP can bring with it its own service capability. When another SP replaces 
an on-card SP, there will be no change necessary to the EC platform. The new SP applet is 
simply loaded into the card and it will perform what it is designed to do. 

In the SPDA, each service provider is allocated space for public keys. In many transactions, 
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1 only one key pair is used, but for some online transactions, two or more key pairs are required. 

If the SP uses the same public/private key pair for both the incoming and the signing of outgoing 
messages, then one public key is enough. If the SP uses a different key pair for signing, then 
both SP public keys (one for incoming messages and one for the signing of outgoing messages) 

5 are required in the SPDA. 

In the preferred embodiment of the invention, two public/private key pairs rather than one 
public/private key pair is used to communicate with other applications through a network 
because using two public/private key pairs rather than one public/private key pair provides 
greater security. One pair is used for decrypting an incoming message, i.e., the sender encrypts 
1 0 the message using the recipient's public key and the recipient decrypts the message using the 
corresponding private key. The other pair is for the sender to digitally sign the message he sends 
out and the recipient to verify the digital signature using the corresponding sender's public key. 

Each service provider is allocated space for the number of public keys used by the service 
provider. If the SP uses the same public/private key pair for both incoming messages and 
1 5 signing of outgoing messages, then one public key is enough. If the SP uses different key pairs 
for receiving and signing messages, then both of the SP's public keys are required in the SPDA. 

In an alternative embodiment of the invention, more than two public/private key pairs may 
be required and used by a service provider for even greater security. 

When an EC holder is issued a new financial or non-financial instrument, the issuing 
20 institution or a trusted third party will load the needed information comprising a record into an 
available slot. The information in the slot can be erased when the service provider account is 
closed. Some of the information in a slot can be read and modified during a transaction, e.g. an 
account balance. Some information such as account number is write protected, but can be read. 
Some information such as a private key is both read and write protected. The access conditions 
25 600 contain security information such as PINs, biometric data, etc., that an EC user must submit 
to open the card for use or to gain access to the information stored on the card. 

Traditional Personal Identification Numbers (PINs) or other security measures such as 
biometrics data are used to protect the EC. Biometrics involves the measurement of a 
cardholder's biological traits, such as physical traits and behavioral traits. A biometric system 
30 may measure an individual's fingerprints, hand-geometry, hand writing, facial appearance, 
speech, physical movements, keyboard typing rhythms, eye features, breath, body odor, DNA, 
or any other physical attribute of the cardholder. The functions provided by an EC can be 
activated only after all the access conditions have been satisfied. Each service provider residing 
on the card can optionally implement other access conditions. 
35 Figure 4 shows the format of the service provider data area of a preferred embodiment of 

the invention. Each service provider's information is allocated an entry in the table, which can 
be protected by additional access conditions. The PIN 712 and the miscellaneous data field 714 
allows the service provider to provide extra protection or data field to the instrument it supports. 
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10 



The name field 702 contains the names of the service providers, which can be used by the 
cardholder at the beginning of an online transaction to initially select the applicable service 
provider for a transaction. The key type field 704 specifies the type of key the service provider 
chooses to use, secret key, public key, etc. The key value 706 and account information fields 
708 contain information unique to each service provider. The card type field 710 specifies the 
type of instrument a service provider supports. 

In the preferred embodiment of the invention, the on-card Operating System (COS) 
provides some fundamental services for the cardholder. Following is a list of general functions 
which can be performed by the COS: 



(1) Traditional OS functionality such as Memory management, task management, etc 

(2) External communication-read/write of user data and communication protocol handling. 

(3) Loading and updating of on-card cardholder information. 

(4) User PIN changes. 

15 (5) Service Provider Data Area management-such as loading and updating of individual service 
provider information, SPDA access control, etc. 

The COS will also provide support during various stages of a transaction. For example, the 
COS can handle the SP selection at the beginning of a transaction and record the transaction into 
20 a log file when the transaction has been completed. An embodiment of the invention may 
implement one of the following two design approaches to the COS or a hybrid of the two design 
approaches: 

(1 ) Most of the intelligence can be put into the COS whereby the COS supports most of the EC 
functionalities. Consequently, each on-card service provider area relies on the COS to carry 

25 out the transaction with the merchant and the SP. In this approach, the COS can provide 

a uniform interface with the outside world for all on-card SPs and efficiently carries out the 
transaction once a SP has been selected. 

(2) Alternatively, the COS can be a pool of general services each on-card SP can utilize. Each 
SP data area can contain applets, which have the intelligence to carry out a transaction with 

30 the merchant and the SP. In this approach, the SP has more opportunity to implement its 

own unique feature when performing a transaction. 

Figure 5 shows how digital signatures are used in the preferred embodiment of the 
invention. A sender of a message first prepares and sends the data portion of a message M 900 
through a one way hash algorithm, H(*) 902. The output from the hash algorithm is called the 
35 message digest MD of message M 903. The MD is then encrypted, E(*) 904, i.e. digitally signed, 
using the sender's private key (Pri). The result is called the digital signature DS of a message M. 
The DS is then combined with the original message M 900 and forms a complete message 906 
ready for transmission to a recipient through a network 50. 
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1 The public-key encryption/decryp tion function can be any of a number of 

encryption/decryption functions. RSA, which takes its name from the first initials of RSA 
developers' last names (Ronald Rivest, Adi Shamir, and Len Adelman), is just one example of 
a public-key encrypti on/decryption method, which can be used in an embodiment of the 

5 invention. 

When the intended recipient receives the message from a network 50, he first separates the 
data portion of the message M 900 from the digital signature 912 combined with it. The 
recipient then runs the data portion of the message M 900 through the same hash algorithm 910 
that was used to encode the data portion of message M 900, and consequently obtains a message 
10 digest MD A 91 1 of M. The recipient then decrypts D(*) 908 using the EC's public key, the 
digital signature 912 contained in the original message using the sender's public key and 
recovers the original message digest, denoted here as MD 909. MD 909 is compared with the 
new calculated MD A 91 1 for correctness. If they are not identical, the original message has been 
corrupted and should be rejected. 

15 

Following is a list of symbols and abbreviations used in the figures 5 through 1 1 : 

Acknowledgement Data EC = A part of the message sent back by the EC to the SP. It notifies the 

SP that the previous message has been successfully received and processed. 

Acknowledgement Data M = A part of the message sent back by the merchant to the SP. It 
20 notifies the SP that the previous message has been successfully received and processed. 

AI EC = Account information of EC holder. 

AI M = Account information of merchant. 

CRYPTO = Cryptogram 

D = Decryption function 
25 D S p. Private . Key = Decryption using SP's private key. 

DS = Digital signature function. 

DS EC . Plivale . Kev = Digital signature signed by the EC on a message. 
DS M . Private . Kev = Digital signature signed by the merchant on a message. 
DS S p. Private . Kev = Digital signature signed by the SP on a message. 
30 E = Encryption function. 

E (Data) = Encryption of data under a data encryption key. 
E sp .pk, E SP .p ublic . Kev = Data encrypted by SP public key 

Eskey.Ec D skey-Ec = Encryption/Decryption using the session key that the SP generated for the EC. 
EsiTy-M. IWm = Encryption/Decryption using the session key that the SP generated for the 
35 merchant. 

EC = Electronic card, or electronic card equivalent software 

H (M) = Apply a one-way hashing algorithm on M. It generates the message digest (MD) of M. 
KE = Key exchange phase. 
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1 M = Merchant 

MD = Message Digest 

MD A = Message Digest produced by message recipient using the message just received as input 
data. 

5 MD EC = The message digest of a message going from EC to SP. 

MD M = The message digest of a message going from merchant to SP. 
MD SP . M = The message digest of a message going from SP to merchant. 

MD SP . EC = The message digest of a message going from SP to EC which is by passed by 
merchant. 

10 PLAIN TEXT: Transaction data, which can be transmitted without encryption. Plain text can 
be different for different messages and transaction parties. 

PLAIN TEXT EC = Part of the transaction data provided by EC in its outgoing messages. Plain 
text data fields are not security sensitive. Therefore, they are transmitted without encryption. 
Note that the content of this symbol can be different when used in a different message. 
15 PLAIN TEXT M = Part of the transaction data provided by merchant in its outgoing messages. 
Plain text data fields are not security sensitive. Therefore, they are transmitted without 
encryption. Note that the content of this symbol can be different when used in a different 
message. 

PLAIN TEXT SP . EC = Part of the transaction data provided by SP for EC only in its outgoing 
20 messages. Plain text data fields are not security sensitive. Therefore, they are transmitted without 
encryption. Note that the content of this symbol can be different when used in a different 
message. 

PLAIN TEXT SP . M = Part of the transaction data provided by SP for merchant only in its outgoing 
messages. Plain text data fields are not security sensitive. Therefore, they are transmitted without 
25 encryption. Note that the content of this symbol can be different when used in a different 
message. 

STD = Sensitive transaction data, which requires encryption during data transmission. 
STD EC = Sensitive transaction digital data provided by EC in its outgoing messages. Note that 
the content of this symbol can be different when used in a different message. 
30 STD M = Sensitive transaction digital data provided by merchant in its outgoing messages. Note 
that the content of this symbol can be different when used in a different message. 
PK = Public key 

EC-PK, PK EC = Public key of the electronic card. 
M-PK, PK M = Public key of the merchant. 
35 SP-PK, PK SP = Public key of the selected service provider. 

Response Data^^ = A part of the message sent back by the SP to the EC during the transaction 
phase of a transaction. It can include approval/disapproval data and/or any other relevant data. 
Response Data SP . M = A part of the message sent back by the SP to the merchant during the 
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transaction phase of a transaction. It can include approval/disapproval data and/or any other 

relevant data. 

RN = Random number. 

RN EC = Random number generated by the EC and is sent to SP. 

rNsp-ec = Random number generated by the SP and is sent to EC. 

RN M = Random number generated by the merchant. 

RN SP .M = Random number generated by the SP and is sent to M. 

SP = Financial or non-financial service provider 

TA = Transaction (currency) amount. 

Transaction Identification Number SP . EC , TID SP . EC (Transaction ID SP . EC ) = A data field whose value 
is assigned by the SP during the key exchange phase of a transaction. The EC will use this value 
to communicate with the SP during the same transaction. 

Transaction Identification Number^, TID SP . M (Transaction ID sp .m) = A data field whose value 
is assigned by the SP during the key exchange phase of a transaction. The merchant will use this 
value to communicate with the SP during the same transaction. 
* = Combine or concatenation of data within an encryption E or a decryption D. 

Figures 6A through 6Q comprise the flowchart for a preferred embodiment of the 
cryptographic system and method. For the purpose of simplifying the description and symbolism 
contained in figures 6A through 6Q, the flowchart assumes that each of the parties involved in 
the transaction uses one key pair. In another embodiment of the invention, two public key pairs 
may be used, in which case, both public keys need to be exchanged. 

The preferred embodiment of the invention consists of two distinct phases: the key 
exchange phase and the transaction phase. 

PHASE I: KEY EXCHANGE PHASE (HANDSHAKE PHASE) 

The EC cardholder inserts the EC into a card read/write device or starts the EC equivalent 
software and enters a PIN number and/or satisfies the access conditions 1 10 to use the EC card. 
The entered security information conditions is compared 1 12 with the on-card information 114 
to verify that user is authorized to use the EC. If the security information does not match the 
card security information, then the request to use the card is rejected 1 1 6. Otherwise, the card 
is unlocked 1 18 for use. Once the card is unlocked, the user can request the list of the on-card 
SPs available for selection and make a selection 120 by issuing an SP selection command to the 
EC. Once the SP is selected, the EC proceeds to start the key exchange (KE) with the SP. The 
public key of the selected SP, represented by the symbols SP-PK and PK SP , is obtained from the 
EC's SPDA and is used to encrypt messages that will be sent to the SP. 

The main purpose of the KE is to securely send the cardholder's public key, PK EC 126 and 
an EC random number, RNhc 1 24 to the SP. The SP response to the EC is to assign a session key 
and a transaction ED to the EC, which will be used by the EC to communicate with the SP for the 
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1 rest of the transaction. To format the KE message, the EC generates a random number, RN EC 

124, concatenates it with the EC's public key, PK nc 126, and EC sensitive transaction data 
STD EC 128 relevant to the transaction and/or required by the SP. The EC encrypts them 122 
using the SP's public key, PK SP , retrieved from the SPDA 120. The resulting EC cryptogram, 

5 E ES _ PK (RN EC *PK EC *STD EC ), is then combined 130 with the plain text portion of the message, 

PLAIN TEXT EC 132, if any, to form an EC combination message, PLAIN TEXT EC *E SP _ 
PK (RN EC *PK EC *STD EC ). The EC's public key PK EC 1 26 may be placed in the plain text PLAIN 
TEXT EC instead of being encrypted when forming the EC combination message. 

Only sensitive data is encrypted. Non-sensitive response data is included in the plain text. 

10 Only the SP is able to read the sensitive data. In a multi-party transaction, the SP has full access 
to the sensitive information of all the participants. 

The resulting EC combination message is then sent through a hashing algorithm 1 34 to form 
a hash message, which is the EC message digest MD EC . The EC message digest MD EC is 
digitally signed by the EC 136 using the EC private key 138 to form a digitally signed message 

15 DS EC . Privatc . Key . The digitally signed message DS EC . Privatc _ Kcy is then combined 140 with the EC 
combination message. The combination of the plain text PLAIN TEXT EC cryptogram 
CRYPTO EC and the digital signature DS EC . Prjvatc . Key is the KE message from the EC and is sent to 
the merchant 1 58 through a network. Plain text includes all the transaction data fields that are 
not sensitive in nature and therefore can be transmitted in a clear, discernable form; they do not 

20 need to be encrypted. These data fields are different for each message and are defined by the 
transacting parties. 

To communicate with the SP, the merchant goes through essentially the same steps to 
format its own KE message with the SP as the EC goes through to format the EC's KE message 
with the merchant. The cardholder and the merchant do not communicate with the SP 

25 individually, but through a combined message. Consequently, there will be no need to exchange 
any confidential financial information between the cardholder and the merchant. The merchant 
prepares his device for the transaction 142 and selects from his own SPDA, which resides within 
the merchant's device, the same SP as the EC cardholder has selected for the transaction 144. 
The public key of the SP, represented by the symbols SP-PK and PK SP is obtained from the SP's 

30 SPDA and is used to encrypt messages that will be sent to the SP. 

To format its own KE message, the merchant generates a random number, RN M 148, 
concatenates it with the merchant's public key, PK M 150, and the merchant's sensitive 
transaction data STD^ Sensitive transaction data is data that is relevant to the transaction and/or 
required by the SP 152. The merchant encrypts 146 the combined data using the public key of 

35 the service provider, PK SP . The resulting cryptogram is then combined 154 with the plain text 
portion PLAIN TEXT M 156 of the message, if any, to form a merchant combination message. 
The merchant's public key PK M 150 may be placed within the plain text PLAIN TEXT M instead 
of being encrypted when forming the merchant combination message PLAIN TEXT M *E SP _ 

-16- 



wnnniri: <wo RQK7Ra.sAi ia> 



WO 99/57835 



PCT/US99/09938 



PK (RN M *PK M *STD M ). 

The merchant combination message [PLAIN TEXT m *E sp .pk(RNm*PKm*STD m )] is further 



combined 158 with the EC's KE message {[PLAIN TEXT EC *E SP . PK (RN EC *PK EC *STD EC )]*DS EC . 
p ■ t Ke } to form the data portion of the KE message for both the merchant and the EC, i.e., the 
EC-merchant combination message {[PLAIN TEXT EC *E SP . Plc (RN EC *PK EC *STD EC )]*DS EC . PriVBle . 
K }*[PLAIN TEX^E^kCRNm^PKm^STDm)]. The EC-merchant combination message is sent 
through a hashing algorithm 1 60 to form a hash message, which is the merchant message d lg est 
KflV Th e merchant message digest MD M is digitally signed 162 by the merchant using the 
merchant's private key 164 to form a merchant digitally signed message DS^^ Key . The 
merchant digitally signed message DSm**.*, is then combined 166 with the data portion of 
the message i.e., the EC-merchant combination message to form a key exchange request 
message « {'[PLAIN TEXT EC * E SP . PK (RN EC *PK EC *STD EC )] * DS EC . Privatc . Ke> .} * [PLAINTEXT 
* E spw (WPK m *STDm) ] » * DS M . Prival , Key for both the merchant and EC. This final message 
is sent to the SP through a network. Figure 7 represents the final format and content of the key 
exchange request message from a merchant to an SP. 

In the preferred embodiment of the invention, the merchant does not check the MD of the 
EC's request message MD EC because the EC encrypts his public key. However, in an alternate 
embodiment of the invention, if the EC chooses not to encrypt his public key then the merchant 
can optionally check the EC's MD before passing it to the SP. In either the case where the EC 
encrypts his public key or where the EC does not encrypt his public key, for enhanced security 
and to avoid possible processing errors by the merchant, the SP can still check the EC's MD. 
When the merchant receives a combination response from the SP for both himself and the EC, 
the merchant does not have to check the MD for the EC since it is part of the overall message 
formed by a single originator - the SP. The merchant only needs to check the MD of the overall 

message he receives from the SP. 

When the SP receives the KE request message, the SP first separates 168 the data portion 
of the KE request message from the DS and feeds the data portion of the KE request message 
into a one-way hash algorithm to recalculate the message digest, which becomes MD M . The SP 
then separates the merchant's plain text PLAIN TEXT M , cryptogram CRYPTO M , digital 
signature DS,^.^ and the EC's KE request message PLAIN TEXT EC * CRYPTO EC 
*DS ECPri ttK • Using its own private key, the SP decrypts merchant's cryptogram 170 and 
recovers^ong other information, the merchant's random number RN M 148 and the merchant's 
public key PK M 150. The SP then uses the recovered PK M to decrypt the digital signature signed 
by the merchant DS^^cy and recovers the MD M for the merchant's KE message. The SP 
compares 172 the newly hashed MD A M 168 with the MD M 1 70 recovered by decrypting the DS 
from the original KE message. If there is a discrepancy between MD A M and MD M found, then 
the KE message has been corrupted and is therefore rejected 1 74. If MD* M and MD M match, then 
the SP separates the data portion of the EC's KE request message from the DS and feeds the data 
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] portion of the EC's KE request message into a one-way hash algorithm to recalculate the 

message digest (MD A EC ). The SP then separates the EC's plain text PLAIN TEXT EO if any, 
cryptogram CRYPTO EC5 and digital signature DS EC . PrivateKcy , in the data portion of the EC's KE 
request message 176. Using its own private key, the SP decrypts EC's cryptogram and recovers, 

5 among other information, EC's random number RN EC and EC's public key PK EC . The SP then 

uses the recovered PK EC to decrypt the digital signature signed by EC and recovers the MD EC for 
EC's KE message. In the step 178, SP compares the newly hashed MD A EC 1 76 with the MD EC 
recovered by decrypting the DS from the original KE message. If there is any discrepancy 
found, the KE message has been corrupted and is therefore rejected 1 80. Otherwise, SP is ready 

10 to send a KE response message back to merchant and EC. 

To format the KE response message for the EC, the SP generates a random number, RN SP . EC 
1 84, and a session key Skey EC 1 86 for the EC, combines them with the EC generated random 
number, 188 RN EC , service provider sensitive transaction data STD SP . EC 190 and encrypts them 
192 using the EC's public key PK EC . The resulting cryptogram, 

15 E EC .p K (RN EC *RN SP . EC *Skey EC *STD SP . EC ), is combined 196 with a transaction identification 
number, TIDsp.ec 194 assigned to the EC by the SP and plain text, PLAIN TEXT SP . EC 195, if any, 
to form the data portion of the response message for the EC. The SP runs this data through a 
hash algorithm to calculate the message digest MD SP . EC 198. Using its own private key 202, the 
SP creates a digital signature DS SP _ Prjvatc _ Key 200 for the response message by digitally signing the 

20 message digest MD SP . EC . After combining 204 the data portion of the message with the newly 
calculated DS SP . Priva!c . Key , the SP's KE response message for the EC is complete, 
[TID SP . EC *PLAIN TEXT SP _ EC *E^ 

To format the KE response message for the merchant, the SP generates a random number 
RN SP . M 208 and a session key Skey M 2 1 0 for the merchant and combines them with the merchant 

25 generated random number RN M 2 1 2, sensitive transaction data STD SP . EC 2 1 4 and encryp ts them 
206 using the merchant's public key PK M recovered in 170. The resulting cryptogram is 
combined 216 with a transaction identification number, TID SP . M 218, assigned to the merchant 
by the SP and plain text, PLAIN TEXT SP . M 220, if any, to form the data portion of the response 
message for merchant. The resulting combination message, TID SP . M *PLAIN 

30 TEXT SP . M *E M . PK (RN SP . M *RN M *Skey M *STD SP . M ) is further combined 222 with the KE response 
message for the EC, [TID SP _ EC * PLAIN TEXT SP . EC *E EC . PK (RN S p. EC *RN EC *Skey EC *STD EC )]*DS SP . 
private-Key* to form the data portion of the SP's final KE response message, [TIDgp^PLAIN 
TEXT SP . EC *E EC .^ TEXT SP . 
M *E M . PK (RN SP . M *RN M *Skey M *STD SP . M )]. The SP runs the data portion through a hash algorithm 

35 to calculate the message digest 224. Using its own private key 228, the SP creates a digital 
signature, DS SP . Private . Key 226, for the response message by digitally signing the message digest. 
After combining 230 the data portion of the message with the newly calculated DS 226, the KE 
response message for both the EC and the merchant is complete. The response message 
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1 «{[TID SPEC *PLAIN TEXT S p. E c*(E EC . n c*RN S p. EC *RN EC *Skey EC *STD S p«)]*DS S p^ wle . 

Kev }*[TID SP . M *PLAIN TEXT SP . M *E M . PK (RN SP . M *PJvI M *Skey M *STD S p :M )]>>DS SP . Private . Key is sent 
back to the merchant through a network. Figure 8 depicts the final format and content of the 
combined KE response message from the SP to the merchant. 

5 When the merchant receives the KE response message 232, the merchant first separates the 

DS SPPrivaI£ Key» which was s»g ned b y the SP ' and then feeds the data P ortion of the combined 
rcspoiuTmessage into a one-way hash algorithm to recalculate the message digest MD A SP . M . The 
merchant then separates the data portion of the SP's KE response message, i.e., TID SP . M> PLAIN 
TEXT SP . M> CRYPTO SP . M , [(TID SP . EC *PLAIN TEXT SP . EC * CRYPTO^)] *DS SP . Priviie . Ke> .. The 

1 0 merchant uses SP's public key (selected from 1 44) to decrypt the digital signature DS SP . Privw . Key 
to recover the message digest MD SP . M . The merchant compares 234 the newly hashed MD A SP . M 
with the MD EC If there is any discrepancy between MD A SP ^ and MD SP . M , the KE response 
message has been corrupted and is therefore rejected 236. If MD A SP . M and MD SP . M match, then 
the merchant identifies the part of the response message which is meant for him and decrypts the 

15 cryptogram CRYPTO SP . M 238 using his own private key. The merchant should be able to 
recover the original random number RN M (of 148) that he sent to the SP in the KE request 
message. The merchant compares 240 the recovered random number RN M (of the step 238) with 
the original random number RNM. If they are not equal, then the message has been corrupted 
and the message is rejected 242. Since the random number RN M can only be recovered by the 

20 SP using the correct SP private key, it is assured that the sender of the message is indeed the 
selected SP. The merchant then forwards the EC's KE response message [(TID SP . EC *PLAIN 
TEXT SP . EC *CRYPTO SP . EC )]*DS SP . Prjva , c . Key to the EC and prepares for the transaction phase of the 
transaction. 

When the EC receives the KE response message 260, the EC first separates the DS SP . Private . 

05 ^ which was signed by the SP, and then feeds the data portion of the KE response message for 
the EC into a one-way hash algorithm producing a MD A SP . EC . The EC then separates the data 
portion of the message, i.e., TID SP . EO PLAIN TEXT SP . EC , CRYPTO SP . EC , DS SP . Private . key . The EC 
uses SP's public key (selected in 120) to decrypt the digital signature DS SP . Privale . kcy message and 
recovers the message digest MD SP . The EC compares 262 the newly hashed MD A SP . EC (in 260) 

30 with the MD SP . EC recovered by decrypting the DS SP . Privatc . key from the KE response message for 
EC. If there is any discrepancy between MD a sp .ec and MD SP . EC found, the KE response message 
for the EC has been corrupted and is therefore rejected 264. If MD A SP . M and MD SP . M match, the 
EC identifies the part of the response message which is meant for him and decrypts 266 the 
cryptogram CRYPTO SP . EC . which is contained in the message, using his own private key. The 

35 EC should be able to recover the original random number RN EC (of 1 24) that was sent in the EC 
KE request message. The EC compares 268 the recovered random number RN EC (of 266) with 
the original random number RN EC (of 124). If the random numbers are not equal, then the 
message has been corrupted and the message is rejected 270. Since only the SP using the correct 
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1 SP private key can recover the random number RN EC . this serves to ensure that the sender of the 

message is indeed the selected SP. The EC prepares for the transaction phase of the transaction. 

There will be a predefined timeout period set in the EC and the merchant. During a 
transaction, if a response message is not received within a timeout period, the EC and the 

5 merchant will consider the transaction aborted and will either retry or start the recovery process. 

After successful completion of the KE message exchanges, the SP has EC's public key and 
the merchant's public key. At this point, both the EC and the merchant has a random number, 
a transaction ID, and a session key from the SP. The EC and the merchant must send the two 
random numbers recovered from the KE response message back to the SP to complete the key 

1 0 exchange phase of the transaction. This can be done in two ways. The random numbers can be 
sent back through a confirmation message from both the EC and the merchant. Or the random 
numbers can be sent back as part of the next message going out from the EC and the merchant 
to the SP, such as a transaction message. The second method is simpler and is described in phase 
II below. The random numbers are used only once to ensure the correctness of the key exchange 

15 between the SP and merchant, and the SP and EC. Once the session keys and transaction 
identification number have been established, the random number are no longer be used. 

PHASE II: TRANSACTION PHASE 

During the transaction phase, the merchant and the EC each sends their own account 

20 information such as an account number and other transaction related data such as transaction 
amount, request for approval or other processing, to the SP. Again, the EC and the merchant talk 
to the SP individually but through combined messages and the merchant is responsible for 
combining the messages and sending them as one message to the SP. 

The EC first forms the transaction message by concatenating the random number RN SP . EC 

25 274 from the SP and the EC's account information with the selected SP, AI EC 276, transaction 
amount TA 280 and any other sensitive data 278 relevant to the transaction and/or required by 
the SP. The EC encrypts 272 them using the session key Skey EC assigned by the SP. The Skey EC 
is a secret key and uses a cryptographic algorithm different from the cryptographic algorithm 
used for the public key encryption. The resulting cryptogram CRYPTO EC , i.e., Skey EC (RN sp . 

30 ec* STD EC * AI EC *TA), is then combined 282 with the transaction ID TID SP . EC 284 and the plain 
text PLAIN TEXTEC286, if any, to form the data portion of the EC's transaction message, TID SP . 
EXPLAIN TEXT EC *CRYPTO EC . The data portion 282 is fed into a one-way hash algorithm 288 
to calculate the message digest MD EC and the MD EC is then digitally signed 290 by the EC's 
private key 292. The resulting digital signature 290 is combined with the data portion of the 

35 message (from 282) 294 to form EC's transaction request message and then sent to the 
merchant, [TID SP _ EC * PLAIN TEXT EC *Skey EC (RN SP . EC *STD EC *AI EC *TA)]* 

EC-Private-Key • 

The merchant goes through essentially the same steps to form his transaction message. The 
merchant forms his transaction message by concatenating 246 the RN SP . M from the SP and the 
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1 merchant's account information with the selected SP, AI M 248. transaction amount TA 252 and 

any other sensitive data STD M 250 relevant to the transaction and/or required by the SP. The 
merchant encrypts them 244 using the session key Skey M assigned by the SP. The session key 
Skey M is a secret key and is created using a different cryptographic algorithm, such as DES, from 

5 the cryptographic algorithm used for public key encryption. The session key Skey M is used to 
perform the encryption at this point to create the cryptogram CRYPTO M . The resulting 
cryptogram CRYPTO M , i.e., Skey M (RN SP . M * STD M *AI M *TA), is then combined 254 with the 
transaction ID 110^256 and the plain text PLAIN TEXT M 258, if any, to form the data portion 
of the merchant's transaction message, TID SP . M *PLAIN TEXT M *CRYPTO M . This data is 

1 0 combined 296 with the EC's transaction request to form the data portion of the final transaction 
request message for the SP, . [TTD SP . EC * PLAIN TEXT EC * Skey EC (RN SP . 
EC *STD EC *AI EC *TA)]*DS EC . Privatt . Kc> *[TID SP . M * PLAIN TEXT M *Skey M (RN SP . M *STD M *AI M *TA)]. 
As before, the merchant feeds his combined data through a one-way hash algorithm 298 to 
calculate the message digest MD M and the MD M is then digitally signed 300 by the merchant's 

1 5 private key 302. The resulting digital signature DS M . Privalc . Key 300 is combined 304 with the data 
portion of the message (from 296) to form the final transaction request message and is then sent 
to the SP, {[TID SP . EC *PLAIN TEXT EC *Skey EC (RN SP . EC *STD EC *AI EC *TA)]*DS EC . Priv)1 , e . Key *[TID SP . 
M * PLAIN TEXT M *Skey M (RN SP . M 1, 'STD M *AI M *TA)]}*DS M . P ri vali: .K e v- Figure 9 depicts the final 
format of the transaction request message. 

20 When the SP receives the transaction request message, the SP first checks 306 the two 

transaction identification numbers, i.e., TID^ and TID SP . M , sent by the EC and the merchant 
and makes sure they are valid. When either TID SP . M (of 2 1 0) or TID SP . EC (of 1 86) is found invalid 
306, then the message is rejected 308. If the transaction identification numbers are both valid, 
then the SP proceeds to separate the DS M . Private . Key from the data portion of the message and feeds 

25 the data portion of the message, {[TID SP . EC *PLAIN TEXT EC * Skey EC (RN SP . 
EC *STD EC *AI EC *TA)]*DS EC . PriVBie .K ey *[TID SP . M *PLAIN TEXT M * Skey M (RN SP . 

M *STD M *AI M *TA)]} into a one-way hash algorithm to calculate the message digest MD A M of 
this message. The SP separates the data portion of the message, i.e., TID SP . M , PLAIN 
TEXT M ,CRYPTO M , DS M . Priva)e . Key , (TIDs^* PLAIN TEXThc^CRYPTO^^DS,^.^. The 

30 SP decrypts 310 the DS M . Private . Key using the merchant's public key and compares the newly 
recovered message digest MD M with the message digest just calculated MD A M (from 306). If 
MD A M and MD M are not equal, the message has been corrupted and is rejected 3 14. If MD A M 
and MD M match, then the SP decrypts 3 1 6 the encrypted portion of the message using the session 
key Skey M (of 21 0) it assigned to the merchant during the KE phase and recovers the data fields 

35 contained in the encrypted portion. The SP compares 318 the random number RN SP . M the 
merchant sends back in the message with the message the SP sent to the merchant originally, 
RN SP . M (from 208). If the random numbers are not equal, then the merchant has failed the mutual 
authentication test and the message is rejected 320. 
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1 In addition, the SP will verify the EC's account information AI EC and the transaction data 

such as the transaction amount TA. The message is rejected 320 if the AI is no longer valid. It 
is also rejected when the TA from the EC and the TA from the merchant do not match. There 
may be other conditions for invalidating a message. If the account information AI EC and the 

5 transaction are valid, then the SP goes on to verify the EC portion of the message. 

As with the merchant's message, the SP first separates 322 the DSEc^vaie-Key fr° m the EC's 
message and feeds the data portion of the EC's message, (TID SP „ EC *PLAIN TEXT EC *CRYPTO EC ) 
into a one-way hash algorithm to calculate the message digest MD A EC of the EC message. The 
SP separates the data portion of EC's transaction request, TID SP _ EC> PLAIN TEXT EC , CRYPTO EC , 

10 DS EC . Prjvalc . Kcy . The SP decrypts 324 DS EC . Privale . Ke y using EC's public key PK EC and recovers 
MD EC . The SP compares 326 the recovered MD EC with MD A EC - If MD A EC and MD EC are not 
equal, the message has been corrupted and is rejected 328. If MD^ and MD EC match, then the 
SP decrypts 330 the encrypted portion of the EC message using the session key Skey EC (of 186) 
it assigned to the EC during the KE phase and recovers the data fields contained in it. The SP 

1 5 compares 332 the random number RN SP . EC the EC sends back in the message with the random 
number RN SP . EC it sent out to the EC originally (in 1 84). If the random numbers are not equal, 
then the EC has failed the mutual authentication test and the message is rejected 334. The SP 
will verify the merchant's account information AI M and the transaction data such as the 
transaction amount TA and will reject the message when the account information is invalid or 

20 when the transaction data does not meet the SP's criterion 334. Once the integrity and 
authenticity of the overall message has been established, the SP can process the data contained 
in the message and send a response message back. The random number that is sent back in this 
message completes the mutual authentication between the SP and the merchant, and between the 
SP and the EC. After this message, no exchange of random numbers will be necessary. The SP 

25 can chooses to use the random number as the transaction identification number which the 
merchant and the EC will use in all subsequent messages that they send to the SP. 

As before, the response message contains information for both the EC and the merchant. 
To format the transaction response message for the EC, the SP generates the response data for 
the EC, Response Datas P _ EC 338, and encrypts 336 it using the session key Skey EC assigned to the 

30 EC. Only sensitive data is encrypted. Non-sensitive response data is included in the plain text. 
The cryptogram CRYPTO SP _ EC , i.e., E Skcy . EC (Response Data SP _ EC ), is combined 340 with the 
transaction identification number TID SP . EC 342 that the SP assigned to the EC (from 194) and the 
plain text that the SP has for EC 344, if any, to form the data portion of the response message for 
the EC, i.e., TID SP . EC * PLAIN TEXT SP _ EC *E Skcy _ EC (Response Data SP . EC ). The data portion of the 

35 message is fed into a hash algorithm 346 to generate a MD SP . EC which is digitally signed 348 by 
the SP using the SP's private key 350. The DS SP . Privale . Key is combined 352 with the data portion 
of the response message (from 340) to form the complete response message for the EC, [TID SP . 
EC *PLAIN TEXT SP . EC *E Skcy . EC (Response Data SP . EC )]*DS SP . Prjvate . Kcy . 
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1 To format the transaction response message for the merchant, the SP generates the response 

data for the merchant. Response Data SP . M 356, and encrypts 354 it using the session key Skey M 
assigned to the merchant (from 210). The cryptogram CRYPTO SP . M , is combined 358 with the 
transaction identification number TID S p. M assigned to merchant 360 (from 21 8) and the plain text 

5 PLAIN TEXT SP . M that the SP has for merchant 362, if any, to form the data portion of the 
response message for the merchant, TID SP . M *PLAIN TEXT SP . M *CRYPTO SP . M . The data is then 
combined 364 with the completed response message for the EC to form the data portion of the 
response message for both the EC and the merchant, [(TID SP . EC * PLAIN TEXT SP . EC * E Skey . 
EC (Response Data SP . EC )]*DS SP . PrivaIe .Kc y *[TID S p. M *PLAIN TEXT SP . M *E ^Response Data SP . 

10 m)]- 

The data is then fed into a hash algorithm 366 to generate a MD SP . M which is digitally signed 
368 by the SP using the SP's private key 370. The DS S p. P ri vate . Ke y is combined 372 with the data 
portion of the response message for both the EC and the merchant to form the complete response 
message for both the EC and the merchant, «{[TID SP . EC *PLAIN TEXT SP . EC *E sl(ey . EC (Response 

1 5 Data SP . EC )]*DS SP . Private . Key } *[TID SP . M *PLAIN TEXT SP . M *E SWey . M (Response Data SP . M )]» DS SP . Privale . 
Kev . The SP then sends its response message back to the merchant. Figure 10 depicts the final 
format of the transaction response message. 

When the merchant receives the message, the merchant first checks 374 the transaction 
identification number, TID SP . R in the message and makes sure it is valid. If the transaction 

20 identification number is invalid then the message is rejected 376. If the TID SP . M is valid, then 
the merchant separates the DS SP . Private . Key which was signed by the SP from the data portion of the 
message, and then feeds the data portion of the transaction response message «{[TID SP . 
EC *PLAIN TEXT SP . EC *E Skey . EC (Response Data SP . EC )]*DS SP . Private . Kcy }*[TID SP . M * PLAIN TEXT SP . 
M *E Skey . M (Response Data SP . M )]» into a one-way hash algorithm producing a MD SP . M . The 

25 merchant separates the data portion of the message into different parts, TID SP . M , PLAIN 
TEXT^, CRYPTCw DS SP . Privat , Key (TID SP . EC * PLAIN TEXT SP . EC *CRYPTO SP . EC *DS SP . Privalc . 
Key ) and prepares to forward SP's transaction response message to the EC. The merchant 
decrypts 378 the encrypted portion of the SP's message using the session key Skey M assigned 
by the SP during the KE phase and recovers the data fields contained within it. The merchant 

30 then uses SP's public key, PK SP (from 144), to decrypt the digital signature DSsp.^.^ to 
recover MD SP . M . The merchant compares 380 the newly hashed MD A SP . M (from 374) with the 
recovered MD SP . M If MD A SP . M and MD SP . M do not match, then the transaction response message 
has been corrupted and is therefore rejected 382. If the message digests match, then the 
merchant starts processing the message. As usual, the EC portion of the transaction response 

35 message (TID SP . EC * PLAIN TEXT SP . EC *CRYPTO SP . EC *DS SP . Privatc . Key ) is passed to EC. 

When the EC receives the transaction response message, the EC first checks 394 the 
transaction identification number, TID SP . EC in the message and makes sure it is valid. If the 
transaction identification numbers is invalid, then the message is rejected 396. If the transaction 
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1 identification number is valid, then the merchant separates the DS SP . Privatc . Kcy which was signed 

by the SP. from the data portion of the transaction response message, and then feeds the data 
portion of the EC transaction response message TID SP _ EC *PLAIN TEXT SP _ EC *E skcy _ EC (Response 
Data SP . EC ) into a one-way hash algorithm producing MD A SP . Ee The EC separates the message 

5 into different parts, TID SP _ EC , PLAINT SP . EC , CRYPTO SP . EC , DS SP . Privale . Kcy . The EC decrypts 398 
the encrypted portion of SP's message using the session key Skey assigned by the SP during the 
KE phase and recovers the data fields contained within it. The EC uses SP's public key (from 
120) to decrypt the digital signature DS SP . Privatc . Kcy and recovers the message digest MD SP . EC . The 
merchant compares 400 the newly hashed MD a sp .ec 394 with the. recovered MD SP . EC . If MD a sp .ec 

10 and MD SP . EC do not match, then the transaction response message has been corrupted and is 
therefore rejected 402. If the message digests match, then the EC starts processing the message. 

At the end of the transaction, the EC and the merchant can, if required by the SP, send an 
acknowledgement message to the SP to signal that the response message has been correctly 
received and processed. This acknowledgement data can be included as a part of the next 

1 5 message to be sent to the SP, if there are more messages to be exchanged between the SP and the 
merchant and the EC before the transaction ends. Or the acknowledgement data can be a 
message by itself. 

To format the acknowledgement message, the EC first encrypts 404 the sensitive part of the 
acknowledgement data, Acknowledgement Data ECs 406, if any, using the session key, Skey E0 

20 thus creating Skey^Acknowledgement Data EC ). The EC combines 408 the resulting cryptogram 
with the transaction identification number TID SP . EC 410 assigned by the SP and the plain text 
PLAIN TEXT EC 412, if any. This forms the data portion of EC's acknowledgement message, 
TID SP . EC *PLAIN TEXT EC * Skey EC (Acknowledgement Data EC ). This combined data is then fed 
into a one-way hash algorithm 414 to generate the MD EC . The resulting MD EC is then digitally 

25 signed 41 6 by the EC using the EC's private key 41 8 to generate a DS EC . Private _ Key . The DS EOPrivatc . 
Kev is combined 420 with the data portion of the message (from 408) to form the complete 
acknowledgement message for the EC, [TID SP _ EC * PLAIN TEXT EC *Skey EC (Acknowledgement 
Data EC )]*DS Ec . Pnvate . Kcy . The acknowledgement message is then sent to the merchant. 

The merchant goes through the same steps to form his own acknowledgement message. To 

30 format the acknowledgement message, the merchant first encrypts the sensitive parts of the 
acknowledgement data, Acknowledgement Data M 386, if any using the session key Skey M 
assigned by the SP to merchant, thus creating Skey M (RN SP _ M * Acknowledgement DataJ. The 
merchant combines 388 the resulting cryptogram with the transaction identification number 
TTD sp _m 390 assigned by the SP, and the plain text PLAIN TEXT M (from 392), if any. This forms 

35 the data portion of the merchant's acknowledgement message, TID SP . M *PLAIN TEXT M * 
Skey M (RN SP _ M * Acknowledgement Data M ). This data portion is farther combined 422 with the 
acknowledgement message received from the EC to form the data portion of the combined 
acknowledgement message for the SP, {[TID SP . EC * PLAIN TEXT EC *Skey EC ( Acknowledgement 
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Data BC )]*DS EC ^ K€ ,}*rnD ai ^*PLAIN TEXT M *Skcy M (Acknowledgement Data M )]. The 
merchant feeds the data portion of the combined acknowledgement message for the SP into a 
one-way hash algorithm to generate the message digest MD M . The resulting MD M is then 
digitally signed by the merchant using the merchant's private key 428 to generate DS M . Privlte . Key 
426. The DSM.pri^.y is combined 430 with the data portion of the message (from 422) to form 
the final combined acknowledgement message of the EC and the merchant designated for the SP, 
«{ [TID SP . EC * PLAIN TEXT EC * Skey EC ( Acknowledgement Data EC )] *DS BCMme4lv } * [TID SP . 
M * PLAIN TEXT M *Ske yM (Acknowledgement Data M )]»*DS M . Privale . Key . This message is then sent 
to the SP. Figure 1 1 depicts the final format of the transaction acknowledgement message. 

TID SP . M is the transaction identification number assigned by the SP to the merchant (from 
218) and TTD SP . EC is the transaction identification number assigned by the SP to the EC (from 
194). Upon receiving the transaction acknowledgement message, the SP checks 432 the two 
transaction identification numbers, TID SP . M and TID SP . EC , sent by the EC and the merchant and 
makes sure they are valid. When either nD SP . M or TID SP . EC is found invalid, then the message 
is rejected 434. If the transaction identification numbers are both valid, then the SP proceeds to 
separate the DS M . Privale . Key from the combined acknowledgement message and feeds the data 
portion of the combined acknowledgement message «{[TID SP . EC * PLAIN 
TEXT EC *Skey EC (Acknowledgement Data EC )]*DS EC . Pr jv a , e .K.ey } *[TID SP . M * PLAIN 
TEXT M *Skey M (Acknowledgement Data N1 )]» into a one-way hash algorithm to calculate the 
message digest MD A M of this message. The SP separates the data portion of the message, TID SP . 
M , PLAIN TEXT M , CRYPTO M , DS M . Private . Key , (TID SP . EC * PLAIN TEXT EC *CRYPTO EC )*DS EC . 
Privacy- The SP decrypts 436 the DS M . Privatc . K cv using the merchant's public key PK M and 
compares the recovered message digest MD M 432 with the message digest just calculated MD A M 
436. If MD A M and MD M are not equal, then the message has been corrupted and is rejected 440. 
If MD A M and MD M match, then the SP decrypts 442 the encrypted portion of the merchant's 
acknowledgement message using the session key Skey M (from 210) that it assigned to the 
merchant during the KE phase and recovers the acknowledgement data contained within it. 

The SP separates 444 the DS^^ey from the EC's acknowledgement message and feeds 
the data portion of the EC's acknowledgement message, TID SP . EC *PLAIN TEXT EC *CRYPTO EC , 
into a one-way hash algorithm to calculate the message digest MD A EC of this message. The SP 
separates the data portion of the EC's acknowledgement message, TID SP . EC , PLAIN TEXT EC , 
CRYPTO EC , DS EC . Private . Key . The SP decrypts 446 the DS EC . PrivaIe . Key using the EC's public key 
PKec and compares 448 the recovered MD EC with the message digest just calculated MD A EC 444. 
If the message digests are not equal, then the message has been corrupted and is rejected 450. 
If MDV and MDec match, then the SP decrypts 452 the encrypted portion of the message using 
the session key Skey EC (from 1 86) that it assigned to the EC during the KE phase and recovers 
the acknowledgement data contained within it. This completes the processing of the transaction 
phase of the transaction 454. 
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1 Throughout the transaction, in a preferred embodiment, the EC works with interface 

software provided by Internet browser software such as the Microsoft Explorer or Netscape 
Navigator. In a typical session, the cardholder points his browser to the merchant's URL and 
orders goods or services from the merchant. At the time of payment, the browser will invoke the 

5 EC interface software, which can be built into the browser or included as a plug-in or add-on 

software component, and allow the transaction to proceed. The cardholder can point his browser 
to the URL of any SP member. 

The two-phased transaction described in figure 6A-6Q above is just a specific case of 
applying the two-phased key-exchange-transaction model. In the two-phased transaction 

10 described in figures 6A-6Q, the number of parties involved in the transaction is three: the EC, 
the merchant and the SP. The two-phased key-exchange-transaction model is similarly 
applicable to cases where the number of parties involved varies from two to many. In a 
transaction that involves more than three parties, there is only one party that plays the role of the 
SP. All other parties use the public key of the selected SP to perform the initial key exchange 

1 5 and use session keys and transaction Ids assigned by the SP to carry out the transaction. 

The two-phased key-exchange-transaction model is applicable to organization schemes 
wherein: (1) the participants can be arranged with possible routers in series with the service 
provider; or (2) the participants can be arranged with possible routers in a hierarchical 
organization. These additional organization schemes may involve routers, which route messages 

20 to the next level. A level of a hierarchy may be composed of any number of participants and/or 
routers. The next level is the next participant or router that is next in the sequence or hierarchy. 
In a hierarchical organization scheme, the next level includes all possible next participants and 
routers. For the hierarchical organization scheme, the SP establishes the criterion for 
determining the next participant or router to which a message is sent. 

25 A router is a gateway/conduit, which collects the messages from a previous level and 

performs some processing on the messages according to an SP's requirements such as combining 
them, and then forwards the messages to the SP. Each participant need only form his own 
message (data and digital signature) and send it to the next level. A participant combines all the 
messages he receives with his own message and digitally signs the combined message before 

30 sending it to next level. In the hierarchical organization's simplest form, there is only one 
message router, which collects messages from all the other participants and sends the combined 
message to the SP. 

In the series organization, an originator of a transaction is in series with routers and/or 
participants who in turn are in series with a service a service provider 60. In the preferred 
35 embodiment of the invention, each element shown in figure 12 is a participant. In an alternative 
embodiment of the invention, any intermediate element between the originator and the SP can 
be a router. 

An originator conducts a transaction with participants 1 100, 1 120, 1 140 and 1 160 and a 
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service provider that have been arranged in series as shown in Figure 1 2. This is similar to the 
three-party scenario described in figures 6A-6Q except for the fact that now there is more parties 
involved. Note participants 3,4,5,6 ... n-2 that have been arranged in series 1 1 80. Each of the 
participants prepares his own message, incorporates it with the message he receives from a prior 
participant, if any, appends a digital signature with the message, and then sends it to the next 
participant in the line. The combined message is eventually sent to the SP and the SP forms the 
response message accordingly and sends it back through the same path the original request 
message has traveled. 

Figure 13 shows elements arranged in a hierarchical organization scheme, where each 
element. X, j to X, „ (n= 1 , 2, 3, . . .) 1 200, is a participant of the transaction and not a message 
router, and each element, X, k (j = 2, 3, 4, k = 1, 2, 3, ...m; m is a variable of type n; m may 
be a different value for different levels of a hierarchy) 1210, can either be a participant or a 
router. The upward pointing bold arrow represents sending a request message 1220. The 
downward pointing arrow represents sending a response message 1230. 

Each participant collects messages from a number of participants he is responsible for and, 
after combining the messages with his own and forming a new message, sends the new message 
to the next level. A hierarchical organization scheme may include only one participant to as 
many as is required (The most regressive case of the hierarchical scheme is one participant and 
one service provider). Eventually, at the last element before the service provider, X 0j where o 
is of type n, all messages are combined into one message 1240, which is then sent to the SP 60. 
Again, the SP forms the response message and sends it back through the same route. 

In the case when the SP is not directing the transaction, the members are conducting the 
transaction among themselves using the session key generated by the SP. A transaction can 
occur between two or more members. When there are more than two members involved in the 
transaction, the messages can flow from member to member in any order. A member sends a 
transaction request message and receives a transaction response message. A member does not 
necessarily have to receive a transaction response message from the same member that he sent 
the transaction request message. For example, three members in a transaction can be organized 
in a ring and send messages around the ring. A first member can send a transaction request 
message to a second member who in turn sends a transaction request message and a transaction 
response message to third member. The third member sends a transaction request message and 
a transaction response message to the first member, and the first member sends a transaction 
response message to a second member. A member receiving a transaction request message 
creates a transaction response message, which eventually will be sent to the member who sent 
the transaction request message. 

During the key exchange phase, the SP obtains the public keys of all the transaction 
participating members. The SP sends to each participating member, the other members' public 
keys prior to the participating members conducting a transaction among them. The transaction 
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1 request messages and the transaction response message include plain text if any, a cryptogram, 

and a digital signature of the sending part)'. 

In the case when the SP needs to act as the surrogate-certificate for the EC and/or the 

merchant in order to deal with a certificate-based external system, the SP shields the EC and/or 
5 the merchant from the operation of the external interface. The SP only returns to the EC and/or 

the merchant, the information needed to complete the transaction with the EC and/or the 

merchant. 

While there have been described herein what are considered to be preferred and exemplary 
embodiments of the present invention, other modifications of the invention shall be apparent to 

1 0 those with ordinary skill in the art. Therefore, it is desired to be secured in the appended claims 
all such modifications and extensions as fall with within the true spirit and scope of the 
invention. The invention is to be construed as including all embodiments thereof that fall within 
the scope of the appended claims and the invention should only be limited by the appended 
claims below. In addition, one with ordinary skill in the art will readily appreciate that other 

1 5 applications may be substituted for those set forth herein without departing from the spirit and 
scope of the present invention. 
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1 CLAIMS: 

I . A system for electronic transactions comprising: 

an electronic card having, 

a cryptographic service for encryption and decryption, 
5 a data area for storing information, and 

a data area for storing cardholder with the service provider member terminal; 
a service provider member terminal responsive to the electronic card; and 

a service provider terminal in communication service provider information. 

10 2. The system of claim 1 wherein the electronic card is a physical card. 

3. The system of claim 1 further comprising software having the electronic card. 

4. The system of claim 1 wherein the electronic card further comprises a card operating 
15 system for loading and updating cardholder information, changing a PIN, and managing the 

service provider data area. 

5. The system of claim 1 wherein the electronic card performs external communication 
read/write operations, and communication protocol handling. 

20 

6. The system of claim 1 wherein the electronic card further comprises software to manage 
the electronic card. 

7. The system of claim 1 wherein the data area for storing service provider information 
25 comprises a service provider record comprising: 

a name field indicating the service provider; 
a key value; and 

an account information field containing information unique to each service provider. 
30 8 . The system of claim 1 wherein the electronic card further comprises application software. 

9. The system of claim 1 wherein the electronic card further comprises applets. 

1 0. The system of claim 1 further comprising an external system wherein the service provider 
35 terminal communicates with the external system. 

I I . The system of claim 7 wherein each service provider record further comprises a card type 
field specifying the type of instrument a service provider supports. 
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1 1 2. A method of conducting an electronic transaction using an electronic card comprising the 

steps of: 

generating a session key at the service provider; 

exchanging keys by sending a key from a member to a service provider and sending a session 
5 key from the service provider to the member; and 

using the session key to conduct a transaction. 

1 3. The method of claim 12 wherein the step of exchanging keys comprises the steps of: 
sending a key exchange request message from a member to a service provider; and 

1 0 formatting a key exchange response including the session key for a member and sending the 

key exchange response to a member. 

14. The method of claim 12 wherein the step of using a session key to conduct a transaction 
comprises the steps of: 

1 5 formatting a member transaction request message using the session key and sending it to the 

service provider; and 

formatting at the service provider, a transaction response message for the member and 
sending the transaction response message to the member. 

20 15. The method of claim 12 wherein the step of using a session key to conduct a transaction 

comprises the steps of: 

formatting by a first member, using the session key, a transaction request message, the 

transaction request message including a digital signature of the first member, and sending the 

transaction request message to a second member; and 
25 formatting by a second member, using the session key, a transaction response message, the 

transaction response message including a digital signature of the second member, and sending 

the transaction response message to the first member. 

16. The method of claim 12 wherein the step of using a session key to conduct a transaction 
30 comprises the steps of: 

formatting by a first member, using the session key, a transaction request message, the 
transaction request message including a digital signature of the first member, and sending the 
transaction request message to an intermediate member; and 

formatting by an intermediate member, using the session key, a transaction response 
35 message, the transaction response message including a digital signature of the intermediate 
member, and sending the transaction response message to a final member; 

formatting by a final member, using the session key, a transaction response message, the 
transaction response message including a digital signature of the final member, and sending the 
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1 transaction response message to the first member. 

1 7. The method of claim 12 wherein the step of exchanging keys comprises the steps of: 
sending a key exchange request message from the electronic card to a merchant terminal; 

5 combining at the merchant terminal, a merchant key exchange request message with the 

electronic card's key exchange request message and sending the combined key exchange request 

message to a service provider; 

formatting a key exchange response including the session key for the merchant terminal, 

formatting a key exchange response including the session key for the electronic card, combining 
1 0 the key exchange responses into a combined key exchange response and sending the combined 

key exchange response to the merchant terminal; and 

separating at the merchant terminal, the key exchange response for the merchant from the key 

exchange response for the electronic card system, and forwarding the key exchange response for 

the electronic card to the electronic card. 

15 

18. The method of claim 12 wherein the step of using a session key to conduct a transaction 

comprises the steps of: 

formatting the electronic card's transaction request message using the session key and 

sending it to the merchant terminal; 
20 formatting at the merchant's terminal, using the session key, the merchant transaction request 

message combining the received transaction request message with the merchant transaction 

request message and sending the combined transaction request message to the service provider; 
formatting by the service provider, using the session key, a transaction response message for 

the merchant, a transaction response message for the electronic card system, and combining the 
25 transaction response messages into a combined transaction response message and sending the 

combined transaction response message to the merchant terminal; and 

separating at the merchant terminal, the transaction response message for the merchant from 

the transaction response message for the electronic card, and forwarding the transaction response 

message for the electronic card system to the electronic card. 

30 

19. The method of claim 12 wherein when the service provider is directing the transaction, 
only the service provider can read sensitive transaction data within a message sent from a 
member. 

35 20. The method of claim 12 wherein when the service provider is not directing the 

transaction, only the service provider can read sensitive transaction data within a message sent 
from a member during the key exchange phase. 
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1 21. The method of claim 13 wherein the key exchange response further comprises public 

keys for every member involved in a transaction. 

22. The method of claim 1 3 wherein a key exchange request message includes a member 
5 generated random number within the encrypted part of the key exchange message. 

23. The method of claim 13 wherein a key exchange request message includes a member 
generated digital signature. 

10 24. The method of claim 13 wherein a key exchange request message from a member 

includes a cryptogram comprising: 

a random number of the member; and 
sensitive data of the member. 

15 25. The method of claim 14 wherein a transaction message includes a random number within 

the encrypted part of the transaction message. 

26. The method of claim 14 wherein a transaction message includes a digital signature of a 
sending party. 

20 

27. The method of claim 14 wherein only the service provider can read sensitive transaction 
data within a transaction message. 

28. The method of claim 14 further comprising the steps of: 

25 formatting at the member, using the session key, a transaction Acknowledgement message 

and sending the transaction Acknowledgement message to the service provider. 

29. The method of claim 1 8 further comprising the steps of: 

formatting at the electronic card, using the session key, a transaction Acknowledgement 
30 message and sending the transaction Acknowledgement message to the merchant; and 

formatting at the merchant's terminal, using the session key, the merchant transaction 
Acknowledgement message, combining the received transaction Acknowledgement message 
with the merchant transaction Acknowledgement message and sending the combined transaction 
Acknowledgement message to the service provider. 

35 

30. The method of claim 24 wherein the key exchange request message further comprises 
plain text. 
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1 3 1 . The method of claim 24 wherein the key exchange request message further includes a 

digital signature of a member. 

32. The method of claim 24 wherein the cryptogram further comprises a public key of the 
5 member. 

33. The method of claim 25 wherein a transaction message includes a digital signature of a 
sending party. 

10 34. A method of sending a key exchange message comprising the steps of: 

satisfying electronic card access conditions by an electronic cardholder; 
selecting a service provider by the electronic cardholder; 
generating an electronic card random number by the electronic card; 

encrypting by the electronic card with a service provider's public key, a random number, an 
1 5 electronic card public key, and electronic card sensitive transaction data to form an electronic 
card cryptogram: 

combining by the electronic card the electronic card cryptogram with plain text, if any, to 
form an electronic card combination message; 

applying a hashing algorithm to the electronic card combination message to form an electronic 

20 card message digest; 

digitally signing by the electronic card, the electronic card message digest using the 
electronic card private key to form an electronic card digitally signed message; 

combining by the electronic card, the electronic card combination message with the 
electronic card digitally signed message to form a key exchange message from the electronic 
25 card; and 

sending the electronic card key exchange message from the electronic card to a merchant 
through a network. 

35. The method of claim 34 further comprising the steps of: 
30 generating a merchant random number by a merchant device; 

encrypting by the merchant device with a service provider's (SP's) public key, a merchant 
random number, a merchant public key, and merchant sensitive data to form a merchant 
cryptogram; 

combining by the merchant device, the merchant cryptogram with plain text, if any, to form 
35 a merchant combination message; 

combining by the merchant device the electronic card (EC) key exchange message with the 
merchant combination message to form an EC-merchant combination message; 

applying a hashing algorithm to the EC-merchant combination message to form a merchant 
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1 message digest; 

digitally signing by the merchant device, the merchant message digest using the merchant's 
private key to form a merchant digitally signed message; 

combining by the merchant, the EC-merchant combination message with the merchant 
5 digitally signed message to form a merchant key exchange request message from the merchant; 

and 

sending the merchant key exchange request message from the merchant to a service provider 
through a network. 

10 36. A key exchange request message comprising: 

electronic card plain text; 

electronic card cryptogram, encrypted with a service provider public key, comprising an 
electronic card random number, an electronic card public key, and electronic card sensitive 
transaction data; 

15 an electronic card digital signature of the electronic card plain text and the electronic card 

cryptogram; 

merchant plain text; 

merchant cryptogram, encrypted with the service provider public key, of a merchant random 
number, a merchant public key, and merchant sensitive transaction data; and 
20 a merchant digital signature of the merchant plain text and the merchant cryptogram. 

37. A key exchange response message comprising: 
service provider (SP) plain text for the electronic card (EC); 
SP transaction identification number for the EC; 

25 SP cryptogram for the EC, encrypted with the EC public key, of the EC random number, an 

SP random number for the EC, a session key, and SP sensitive transaction data for the EC; 

an SP digital signature of the SP plain text for the EC, the SP transaction identification 
number for the EC; and the SP cryptogram for the EC; 
SP plain text for the merchant; 
30 SP transaction identification number for the merchant; 

SP cryptogram for the merchant encrypted with the merchant public key, of the merchant 
random number, an SP random number for the merchant, a session key, and SP sensitive 
transaction data for the merchant; and 

an SP digital signature of the SP plain text for the merchant, the SP transaction identification 
35 number for the merchant; and the SP cryptogram for the merchant. 

38. A method of conducting an electronic transaction among multiple parties arranged in 
series comprising the steps of: 
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sending a key exchange request message from an electronic card to a first party where the 
first party is a message router or participant; 

sending the key exchange request message from the first party to a next party if the first party 

is a router; 

combining a first party's key exchange request message with the electronic card's key exchange 
request message and sending the combined key exchange request message to a next party if the 
first party is a participant; 

sending the key exchange request message to a next party if the current party is a message 

router; 

combining a current party's key exchange request message with a last party's key exchange 
request message and sending the combined key exchange request message to a next party, if the 
current party is a participant; 

formatting, by the service provider, into one message, a key exchange response for each 
participant and sending the message in reverse order of the path for sending the key exchange 
request message to the service provider; and 

separating, by every participant, the key exchange response for itself from the key exchange 
responses for the other participants, and forwarding the remaining key exchange responses to the 
other participants in reverse order of the path for sending the key exchange request message to 
the service provider, until the electronic card receives its key exchange response. 

39. A method of conducting an electronic transaction among multiple parties arranged in 

series comprising the steps of: 

sending a transaction request message from an electronic card to a first party where the first 

party is a message router or participant; 

sending the transaction request message from the first party to a next party if the first party 

is a router; 

combining a first party's transaction request message with the electronic card's transaction 
request message and sending the combined transaction request message to a next party if the first 
party is a participant; 

sending the transaction request message to a next party if the current party is a message 
router; 

combining a current party's transaction request message with a last party's transaction 
request message and sending the combined transaction request message to a next party, if the 

current party is a participant; 

formatting, by the service provider, into one message, a transaction response for each 
participant and sending the message in reverse order of the path for sending the transaction 
request message to the service provider; and 

separating, by every participant, the transaction response for itself from the transaction 
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1 responses for the other participants, and forwarding the remaining transaction responses to the 

other participants in reverse order of the path for sending the transaction request message to the 
service provider, until the electronic card receives its transaction response. 

5 40. A method of conducting an electronic transaction among multiple parties arranged in a 

hierarchical organization comprising the steps of: 

sending a key exchange request message from an electronic card to a first party where the 
first party is a message router or participant; 

sending the key exchange request message to a next party X j k G = 2, 3, 4, k = 1, 2, 3, 
10 ...m; m is a variable of type n; n= 1, 2, 3, m can be different values for different values of 
j) if the first party is a message router; 

combining a first party's key exchange request message with the electronic card's key 
exchange request message and sending the combined key exchange request message to a next 
party X j-k if the first party is a participant; 
1 5 sending the key exchange request message to the next party X j k if a current party X jik is a 

message router; 

combining a current party X jk 's key exchange request message with the last party's key 

exchange request message and sending the combined key exchange request message to the next 

party X j k , if the current party X j k is a participant; 
20 formatting, by the service provider, into one message, a key exchange response for each 

participant and sending the message in reverse order of the path for sending the key exchange 

request message to the service provider; and 

separating, by every participant, the key exchange response for itself from the key exchange 

responses for the other participants, and forwarding the remaining key exchange responses to the 
25 other participants in reverse order of the path for sending the key exchange request message to 

the service provider, until the electronic card receives its key exchange response. 

41. A method of conducting an electronic transaction among multiple parties arranged in a 
hierarchical organization comprising the steps of: 
30 sending a transaction request message from an electronic card to a first party where the first 

party is a message router or participant; 

sending the transaction request message to a next party X jk 0 =2,3,4, ...;k= 1,2, 3, ...m; 
m is a variable of type n; n= 1, 2, 3, . . .; m can be different values for different values of j) if the 

first party is a message router; 
35 combining a first party's transaction request message with the electronic card's transaction 

request message and sending the combined transaction request message to a next party X j k if the 

first party is a participant; 

sending the transaction request message to the next party X j k if a current party X j k is a 
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1 message router; 

combining a current party X^'s transaction request message with the last party's transaction 

request message and sending the combined transaction request message to the next party X^, if 

the current party X jk is a participant; 
5 formatting, by the service provider, into one message, a transaction response for each 

participant and sending the message in reverse order of the path for sending the transaction 

request message to the service provider; and 

separating, by every participant, the transaction response for itself from the transaction 

responses for the other participants, and forwarding the remaining transaction responses to the 
10 other participants in reverse order of the path for sending the transaction request message to the 

service provider, until the electronic card receives its transaction response. 
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M 



PK, 



M 



"\STD 



M 



152 



MERCHANT'S ENCIPHIR: USE SELECTED SERVICE PROVIDER 
PUBLIC KEY ENCRYPTS E S p-pk(RNm*PKm*STD m ) 



TO STEP 154 FIG. 6C^ 



146 



SUBSTITUTE SHEET (RULE 26) 



WO 99/57835 



PCT/US99/09938 



8/29 



FIG 6C 

FROM STEP! 46 FIG. 6B 



156 



MERCHANT'S 
PLAIN TEXT: 
PLAIN TEXT M 



154 



MERCHANT 
COMBINES PLAIN TEXT AND CRYPTOGRAM : 
PLAIN TEXT m »E sp .pk(RN m *PK m *STDm) 



FROM STEP 140 FIG 6B 



1 

MERCHANT COMBINES EC'S MESSAC 
{[PLAIN TEXT ec *Esp-pic(RNec*P 
♦[PLAIN TEXT m *Esp.pk< 


r l r 

jE AND MERCHANT'S MESSAGE 

K E c* STDec)] * DS EC .priva!e-Key } 

;rn m *pKm*std m )] 




( 158 

r 


MERCHANT HASHES AND PRODUC 
H «{ [PLAIN TEXT E c*Esp.pk(RNec 
* [PLAIN TEXT m *E sp .pk(] 
=MD| 


:es a message DIGEST MD m : 

: *PK E c*STD E c)]*DS E c-Priv M e-Key} 

W M *PK M *STD M )]» 

A 



160 



MERCHANT'S 
Private Key 



USE MERCHANT'S DIGITAL SIGNATURE 
GENERATOR : EM-P,iv.,e-Key(MD M )= DS M -Private-Key 



164 



162 



MERCHANT COMBINES : 
«{[PLAINTEXTEc*E SP .pK(RNEc*PK E c*STDEc)]*DS EC -p,iv.te.Key} 

* [PLAIN TEXTM*Esp.PK(RNM*PKM*STD M )]»*DSM-Priv^-Key 
=[(PLAINTEXTEC*CRYPTO E c)*DSEC-Priv B te-Key 
♦(PLAIN TEXT M *CRYPTOM)]»DSM.Prlvte.Key 



Step 2 in FIG. 2 

TO STEP 168 FIG. 6D 



166 



SUBSTITUTE SHEET (RULE 26) 



jsnnrin- <wn w^R-ViAi ia> 



WO 99/57835 



PCT/US99/09938. 
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FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



FIG. 6D 
FROM STEP 166 FIG. 6C 




of f l^ZSS^t^^^^ ^ haShCS 
(PLAIN TEXT EC -CttYr,^.,^ 



J~17 4 



SP uses SPp, ivue . Key to decrypt CRYPTO M to obtain PK M 
and is used to verify the DS M . Priv ^ 



REJECT 


NO _______ 3L 


* ■=■ 


--MD- M =] 




170 



YES r 176 

(2) Seoar^e! F^Tp" DSEC ; p " v " t Key ' haSheS: H(PLAIN TEXT^CRYPTOhO-MDA-- 
W Separates EC s KE request message and becomes: PLAIN TEXT Pr CRYPTO n«j 

uses SP Pfivae . Key to decrypt CRYPTO EC to o^^S^^"*-'^ 

uses PK EC to verify the DS Ec . Pri¥aIe . Key 




RANDOM NUMBER 
GENERATOR SP GENERATES 
RN TO EC: RN SP . EC 

184 



EC'S RANDOM NUMBER 
(SEE 124) DECRYPTED BY 
SP (S EE 176): RN EC 



188 



I 



TO STEP 206 FIG. 6F 



t t 



SP GENERATES ONE SESSION 
KEY FOREC:Skey EC 

^ 186 



SP'S SENSITIVE TRANSACTION 
DATA TO EC: STD SP . EC 



TO STEP 182 FIG. 6E 



J 



190 



SUBSTITUTE SHEET (RULE 26) 



WO 99/57835 
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FIG. 6E 

FROM STEPS 184,186,188,190 FIG. 6D 



192 



SP ENCIPHIER: USE EC'S PUBLIC KEY E E c.PK(RNsp.EC*RN E c*Skey EC *STD S p.Ec) 



SP assigns a Transaction 
Identification Number to EC: 
TIDsp-ec '"Transaction IDsp.ec 



194 



SP'S PLAIN TEXT TO EC: 
PLAIN TEXTsp-ec 



195 



SP COMBINES Transaction ID, PLAIN TEXT AND CRYPTOGRAM : 
TIDsp. E c*PLAINTEXT S p. E c*E E c.PK(RNsp.Ec*RNEC*Skey E c*STD S p. E c) 



196 



SERVICE PROVIDER HASHES AND PRODUCES A MESSAGE DIGEST: H[TIDsp.ec 
♦PLAIN TEXT S p. E c*E E c.PK(RN S p. E c*RN EC *Skey EC *STD S p. E c)]=MDsp.Ec 








, ( 198 


READ SP'S 
Private Key 


— ► 


USE SERVK 
GENERATO 


:E PROVIDER'S DIGITAL SIGNATURE 

R '■ EsP-Pfiv«te.Key(MDsp. E c) = DSsP-PrivBte-Key 



202 



200 



SERVICE PROVIDER COMBINES : 
[TIDsp.ec*PLAIN TEXTsp.Ec*E E c.PK(RN S p.Ec*RN EC *SkeyEc*STD E c)] # DSsp.Pri» a te.K« y 



TO STEP 222 FIG. 6F 



204 



208 



FROM STEP 178 FIG. 6D 



RANDOM NUMBER GENERATOR 
SP GENERATES RN TO M: RN sp .m 



MERCHANT'S RANDOM 
NUMBER (SEE 148) DECRYPTED 
BY SP (SEE 170): RN M 



212 



210 



SP GENERATES ONE SESSION 
KEY FOR MERCHANT : Skey M 



TO STEP 206 FIG. 6F 



SP'S SENSITIVE 
TRANSACTION DATA 
TO MERCHANT: STD S p- M 



214 



SUBSTITUTE SHEET (RULE 26) 



jQrw;irv <-wn qq*;7R3SA1 ia> 



WO 99/57835 
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FIG. 6F 

FROM STEPS 208,210, 212,214 FIG 6E 



SPENCIPHIER: USE N 
E M .p K (RN SP . M *P 


1 -U , 

lERCHANT'S PUBLIC KEY 
^♦Skey M *STD SP . M ) 


SP assigns a Transaction 
Identification Number to merchant: 
TID SP . M =Transaction ID SP . M 






SP'S PLAIN TEXT TO MERCHANT: 
PLAIN TEXT SP . M 



218 



1 



220 



SERVICE PROVIDER COMBINES PLAIN TEXT AND CRYPTOGRAM • 
•nD SP . M *PLAINTEXT S p. M *EM. P K(RN S p. M *RNM*Ske yM *STD S p. M ) 

< 216 



FROM STEP 204 FIG. 6E 




SERVICE PROVIDER COMBINES: [TID SP . EC *PLAIN TEXT SP EC 

*E EC . PK *(RN S p.Ec*RNEc*Skey E c*STDsp. E c)J*DS S p.p rlvae . Key 
*[TID S p. M *PLAINTEXT S p. M *EM.PK(RN S p. M *RN M *Skey M *STD S p.M)1 



1 

SP HASHES AND PRODU 
H{[TID SP . EC *PLAIN TEXT SP . EC *E 
* DS SP .p rivate . Key * [TI D. 
♦E m .pk(RN sp . m *RNm*SI< 


CES A MESSAGE DIGEST : 
Ec.pK(RNsp. E c*RN E c*Skey EC *STD EC )] 
sp.M*PLAINTEXT S p. M 
:ey M *5TDsp. M )]}=MDsp.M 








, ( 224 


READ SP 
Private Key 


-> 


USE SERVICE 
GENERATOR: 


PROVIDERS DIGITAL SIGNATURE 

E SP-Private-Key(MD S p_ M )=DS S p_ Prjv8te _ Kev 



228 



226 



SERVICE PROVIDER COMBINES: 

«{[TID S p. EC *PLAINTEXT S p. EC *(E E c.p K *RN S p.Ec*RN EC ,> Skey E c*STD S p. E c)] 
♦DSsp.p ri v., e .Key} *[TID SP . M *PLAIN TEXT SP . M 

♦EM- P K(RN S p. M *RN M *Skey M 'STD S p. M )]»DS S p. Privale . Key 

=[(TID S p. EC -PLAINTEXT S p.p rivllle . Ke /CRYPTO S p. EC )*DS S p.p rivale . Key 

*(TID S p. M *PLAINTEXT SPM *CRYPTO S p, M )]*DS S p. Priv . te . Key 

L ~" 230 P^TO STEP 232 FIG. 6G 



JSDOCID: <WO 9957B35A1 IA> 



SUBSTITUTE SHEET (RULE 26) 
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SECOND PARTY 
COMPUTER UNIT 
(SERVICE PROVIDER) 



FIG. 6G 

FROM STEP 230 FIG. 6F 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



Step 3 in FIG. 2 



(1) Merchant separates the DS S p.p,jvet e .ic«y. (2) Merchant hashes the data portion of 
the SP's KE response message: H[(TID S p.ec*PLAIN TEXT sp . EC *CRYPTO S p ec) 
♦DS S p.p rivale . Key *(TID3p. M *PLAINTEXT S p.M*CRYPTO S p.M)]=MD A M 

(3) Merchant separates the data portion of the SP's KE response message: 

TID SP . M) PLAIN TEXT SP . M , CRYPTO SP . M , 
[(TIDsp.Ec*PLAJNTEXT S p. EC *CRYPTO S p. EC )]*DS S p. Privto . Key 

(4) Merchant verifies: Dsp.p ub | ic .Kcy(DS S p.p riv . le . K cy)=MD M (Refer to FIG. 5) 




_ MERCHANT DECIPHIER: D M . r c htt ,,.p, i v. l c.Kcy(CRYPTO S p.M ) 
_ D Me , chanl .p, iV8 , e . Key [E Mcfehan ,. Pl)b | lc .Key(RNsp.M* RNy * Skey M * STDsp-m)] 
Recover RN M , Is RN M identical with RN M in step i48 FIG. 6B? If yes, then 
(I) Merchant forwards SP's KE response message to EC: 
(TID S p. E c*PLAIN TEXTsp.Ec*CRYPTO S p. EC * DS S p.p fi v.,e.k e y) to step 260 FIG. 6H 
(2) Merchant prepares transaction phase of the transaction to step 244 FIG. 6 H 




START OF MERCHANT'S 
TRANSA CTION PHASE 



TO STEP 260 FIG. 6H 



TO STEP 244 FIG. 6H 



SUBSTITUTE SHEET (RULE 26) 



WO 99/57835 



PCT/US99/09938. 



13/29 



246 



FIG. 6H 

FROM STEP240 FIG. 6G 



Random Number SP (see 208) sent 
to Merchant (see 238): RN SP _ M 



I Merchant's sensitive transaction 
data to SP: STD M 



250 



248 



MERCHANT'S ACCOUNT 
INFORMATION: AI, 



1 



M 



TARNSACTION 
AMOUNT: TA 



I 



252 



MERCHANT'S ENCIPHIRS: USE SP'S SESSION KEY FOR MERCHANT- 
Ske yM(RN S p. M *STD M *AI M *TA)=CRYPTO M 



IT 



244 



Transaction Identification Number SP (see 218) 
assigned to merchant (see 232): TID S p. M 



256 



Merchant's plain Text 
to SP: PL AIN TEXTj^ 



MERCHANT COMBINES: 
TID SP . M »PLAIN TEXT M *CRYPTO M 



258 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



254 



TO STEP296 FIG. 6 J 



ELECTRONIC CARD 
COMPUTER UNIT 
(ORIGINATOR) 



z: 



FROM STEP24 0 FIG. 6G 



A 



Step 4 in FIG. 2 



(J) EC separates the DS SP .p riV8 , e . Key , and hashes the data portion of the message- 

H(TID S p. EC *PLAIN TEXT S p. E c*CRYPTO S p. EC )=MD^ SP Ec 
(2) EC separates: TID SP . EC , PLAIN TEXT S p. EC , CRYPTO SP . EC , DS SP . Private . key 
(JJ fcC verifies: D S p.p Ub , ic . Key (DS S p.p fivtle . Key )=MD S p. EC (Refer to FIG.5) 



264 



260 



REJECTED 



NO 



Is MD A SP . EC equal to MD 



262 



SP-EC 1 



TO STEP266 FIG. 61 



YES 



SUBSTITUTE SHEET (RULE 26) 
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266 



FIG. 61 

FR OM STEP 262 FIG. 6H 
i 



EC S DECIPHIER: D EC _ Pri va , e . Kcy (CRYPTO SP . EC )-I>EC-Private-Key 
[EEC-Pubiic-Kcy(^SP-EC*^EC* ske yEC* STO SP-Ec)3; And recovers RN EC 




270 



REJECTED 



274 



YES 



RANDOM NUMBER SP (see 184) 
SENT TO EC (see 266): RN SP . EC 



SENSITIVE TRANSACTION 
DATA EC TO SP: STD EC 



278 



J 



TART OF EC'S TRANSACTION PHASE 



EC'S ACCOUNT INFORMATION:AI EC 



276 



TRANSACTION 
AMOUNT: TA 



280 



EC'S ENCIPHIR: USE SP'S SESSION KEY FOR EC: 
Skey EC (RN SP . EC *STD EC *AI EC *TA)=CRYPTO E c 



272 



Transaction Identification Number SP (see 1 94) 
assigned to EC (see 260): TID SP . FC 

< 284 



EC's PLAIN TEXT; 
PLAIN^TEXTpr 



286 



EC COMBINES: TID EC *PLAIN TEXT EC *CRYPTO EC 



282 



EC HASHES AND PRODUCES A MESSAGE DIGEST: 
H[TID SP . EC *PLAINTEXT EC *CRYPTO EC ]=MD EC 


( 288 






r 


READ EC'S 
Private Key 


— ► 


USE EC'S DIGITAL 
EEC-Private-Ke> 


SIGNATURE GENERATOR: 
,(MD EC )=DS EC . Privatc . Kcy 



292 



290 



EC COMBINES: [TID SP . EC * PLAIN TEXT EC 
♦Skey EC (RN SP . E c*STD E c*AI EC *TA)]*DS EC 

-Private-Key 



294 



-Step 5 in FIG. 2 



TO STEP296 FIG. 6 J 

SUBSTITUTE SHEET (RULE 26) 



j q nor in «-wr> a«*7AnsAi ia> 
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ELECTRONIC CARD 
COMPUTER UNIT 
(ORIGINATOR) 



FIG. 6 J 

network FROM STEP294 FIG. 61 




FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



FROM STEP254 FIG 6H 



MERCHANT COMBINES: 

[TID S p. EC *PLAINTEXT EC *Skey EC (RN S p. EC *STDEc*AI E c'TA)]*DS E c-p rivate . K cy 
*[TID SP . M *PLAIN TEXT M *Skey M (RN SP . M *STD M *AI M *TA)l 
=(TID SP . EC *PLAIN TEXT EC *CRYPTO EC )*DS EC . Privltfe . Key 
*(TID SP . M »PLAIN TEXT M * CRYPTO m ) 



1 " < — 296 

MERCHANT HASHES AND PRODUCES A MESSAGE DIGEST- 
H[(TID S p_ E c*PLAIN TEXT EC *CRYPTO EC p)*DS EC .p ri v. te .K^ 
*(TID sp . m *PLAINTEXTm* CRYPTO M )l=MD M 






u £—298 


MERCHANT'S 
Private Key 


— ► 


USE MERCHANT'S DIGITAL SIGNATURE 
GENERATOR: E M . PfivaIe . Key (MD M )=DS M .p rivale . Key 



302 



I 



300 



MERCHANT COMBINES: 

{[TID S p. E c*PLAINTEXT E c*Skey E c(RN S p. E c*STD EC *AlEc*TA)]*DS E c.p ri v.« e -Kcv 
♦[TID S p. M *PLAIN TEXT M *Skey M (RN S p. M *STD M *AI M *TA)]}*DS M . PrivBte . Key 

=[(TID SP . E c*PLAINTEXT EC *CRYPTO E c)*DS EC . Privale . Key 

*(TID SP . M »PLAIN TEXT M » CRYPTO M )]*DS M .p flv . te , Key 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



SECOND PARTY 
COMPUTER UNIT 
(SERVICE PROVIDER) 



304 



Step 6 in FIG. 2 




306 



(1) SP checks TID SP . M and TID SP . EC to make sure they are valid (see 218 and 194), 
if one of them is invalid then rejected 308. (2)S? separates DS M . PriV4te . Key . 

(3) SP hashes the data portion of the transaction request message obtains MD A M . 

(4) SP separates the data portion of the transaction request message and obtains- 

TID S p. M , PLAIN TEXTm, CRYPTO M , DS M . Pfiv . te .Kcv, 
(TID SP . EC »PLAIN TEXT E c*CRYPTO E c)*DS E c.Priv M c.Kev 

* T 1 ^» rm ~_ nrrrx : t: j T 



REJECT 



TID SP . M or TID SP . E c is invalid 



TO STEP 3 1 0 FIG. 6K 



SUBSTITUTE SHEET (RULE 26) 
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FIG. 6K 



FROMSTEP306 FIG. 6J- 



310 



Use PK M to verify the DS M . Private . K Is MD A M =MD M 7 (Refer to FIG . 5) 
p 314 If ^312 



NO 



MD A M = MDm? 



YES 



316 



Skey M decrypts CRYPTO M , recovers RN SP . M> RN SP . M =RN SP . M in 208 FIG. 6E? | 
r 320 NO I ^-318 



REJECT 



-RJ^j^correct? Verify AIm and TA. . 



I 



YES 



322 



(I) SP separates DS EC _ PrivaIe _ Kcy , hashes the data portion of EC's transaction request 
message: H(TID SP . EC *PLAJN TEXT EC *CRYPTO EC )=MD A EC 
(2) SP separates and obtains:TID SP . EC> PLAIN TEXT EC> CRYPTO EC , DS EC Privale 



I - 1 ^ 

I sp "ses PK EC to verify DS EC . Privale . Kev> Is MD A FC =MD EC ? (Refer to FIG. 5) 



>324 




SP's Response Data SP . EC to EC 



TO STEP 354 
FIG. 6L 



| SP USES Skey EC TO ENCRYPT: E Skev . EC (Response Data SP . EC )=CRYPTQ 



> 336 



Transaction Identification Number SP 
(see 1 94) assigned to EC: TID SP . EC 



| C— 342 



SP-EC 



SP'S PLAIN TEXT TO EC: 
PLAIN TEXT SP . EC 

j <L_ 344~ 



SERVICE PROVIDER COMBINES: TID SP . EC *PLAIN TEXT SP . EC 
*E Sk EC (Response Data SP . EC )=TID SP . EC »PLAIN T EXT SP . EC »CRYPTO SP . EC 

340 



TO STEP 346 and 352 FIG. 6L 



SUBSTITUTE SHEET (RULE 26) 



JSDOCID: <WO 9957835A1 IA> 



WO 99/57835 



PCTAJS99/09938 



17/29 



FIG. 6L 
FROM STEP 340 FIG. 6K. 

i 



SERVICE PROVIDER HASHES AND PRODUCES A MESSAGE DIGEST 
H[TIDsp.ec*PLAIN T EXT S p.Ec*E Skey .E C (Response Data S p. EC )]=MD S p.Ec 



READ SP'S 
Private Key 

C — 350 



I 



tz 



346 



USE SERVICE PROVIDER'S DIGITAL SIGNATURE 
GENERATOR : Esp.p f i vate .Ke y (MP S p. EC )=DS S p.p riv> , e . Key 



TZ 



348 



SERVICE PROVIDER COMBINES : 
rnD S p. E c*PLAINTEXT S p. E c*E Skey . EC (Response Data S p. EC )]*DS S p.p rivil te-Key 
- (TIDsp.ec*PLAIN TEXT S p. E c*CRYPTO S p. EC )*DS S p. Privttfe . Key 



FROM STEP 332 FIG. 6K 



SP's Response Data SP . M to MERCHANT 



TZ 



356 



TZ 



352 



SP USES Skey M TO ENCRYPT: E Sk c y . M (Response Data S p. M )=CRYPTO SP . M 



Transaction Identification Number SP (see 
218) assigned to Merchant (see 232): TID SP . M 



it (see 231 
£—360 



TZ 



354 



SP's plain text to merchant: 
PLAIN TEXT SP .M 



TZ 



362 



SERVICE PROVIDER COMBINES: TID SP . M *PLAIN TEXT S p. M 
»E skey . M (Response Data S p.M)=TID SP . M *PLAIN TEXT S p. M *CRYPTO SP . M 



TZ 



358 



SERVICE PROVIDER COMBINES: 
[(TID S p. E c*PLAINTEXT S p. E c*E Skey -Ec(ResponseData S p.Ec)]*DS S p.p riv8te . Key 
*[TID sp .m*PLAIN TEXT S p. M *E Skey . M (Response Data S p. M )] 
=[(TIDsp. E c*PLAINTEXTsp.Ec*CRYPTOsp. EC )*DS S p.p rivilte . Key 
*(TID SP . M *PLAINTEXT S p.M*CRYPTO S p. M )] 



366 



TZ 



364 



SERVICE PROVIDER HASHES AND PRODUCES A MESSAGE DIGEST : 
H[(TID S p. EC *PLAINTEXTsp. E c*CRYPTOsp- E c)*DS S p.p rivate . Key 

»rnD S P.M*PLAINTEXT SP .M*CRYPTO S p.M)1°MP w . M 



TO STEP 368 FIG. 6M 



TO STEP 372 FIG. 6M 



SUBSTITUTE SHEET (RULE 26) 
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FIG. 6M 



FROM STEP 364 FIG. 6L 



FROM STEP 366 FIG. 6L 



READ SP'S 
Private Key 



( 370 



USE SERVICE PROVIDER'S DIGITAL SIGNATURE 
GENERATOR : E SP .p rivate . Kcy (MD SP . M )=DS S p 

-Private-Key 



368 



SERVICE PROVIDER COMBINES: 
«{[TID S p. EC *PLAINTEXT S p.EC*E Skcy . EC (Response Data SP . EC )]*DS SP . Privatc . Key } 
♦[TID SP _ M *PLAIN TEXTsp.M*E Skcy . M (Response Data SP . M )]» DSsp.^^y 
=[(nD S p. EC *PLAINTEXTsp.Pnvat c -Ke y *CRYPTO S p. EC )*DS SP . Private . K 
*(TID SP . M *PLAIN TEXT S p.M*CRYPTO SP . M )]*DS SP 

-Private-Key 



SECOND PARTY 
COMPUTER UNIT 
(SERVICE PROVIDER) 



^Step 7 in FIG. 2 



372 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



(1) Merchant checks TID SP . M to make sure it is valid (218 and 232), if not rejected 368, 
(2) Merchant separates DS SP . Priva , e . Key . (3) Merchant hashes the data portion of the 
message obtains MD A M . (4) Merchant separates the data portion of the message: 
TID SP . M , PLAIN Tsp.m, CRYPTO SP . M , DS SP 

-Private-Key 

Prepare to forward (TID SP . EC * PLAIN TEXT S p.EC*CRYPTO SP . EC *DS SP .p rivate . Key ) 



REJECTED 



TID SP . M is invalid 



376 



374 



(1) Merchant use SP's session key for merchant received and decrypted 238 FIG. 6G: 
Dskey-M(CRYPTO SP . M )=D Skcy . M [E Skcy . M (Response Data SP . M )] 
(3) Merchant use SPp^^,..,^ to verify DS S p. Private . Key (Refer to FIG. 5) 
D SP-Pubiic-Kcy( D S S p.private-Key )=MD SP . M , When MD SPM equal to MD A SP . M then, 
send (TID S p. EC »PLArN TEXTsp.EC*CRYPTO S p. EC »DS S p.p rivate . ke y) to 394 FIG 6N 



378 



TO STEP 380 FIG. 6N 



SUBSTITUTE SHEET (RULE 26) 
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FIG. 6N 



FROM STEP 370 FIG. 6M 




Merchant's 
acknowledgement data to SP 
Acknowledgement Data M 



386 



Forward SP 's message for EC 

"7 



MERCHANT'S ENCIPHIR: USE SP'S SESSION KEY FOR MERCHANT: 
Skey M (RN SP . M *Acknowledgement Data M )=CRYPTO M 



384 



Transaction Identification Number assigned by 
SP (see 2 1 0 ) to Merchant (see 224 ): TID SP . M 



390 



Merchant's Plain Text to 
SP: PLAIN TEXT M 



392 



MERCHANT COMBINES: TID SP . M *PLAIN TEXT M *CRYPTO M 



388 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



— ► TO STEP 422 FIG. 6P 

Merchant forwards SP's message >j 
for EC; Step 8 in FIG. 2 



ELECTRONIC CARD 
COMPUTER UNIT 
(ORIGINATOR) 




(1) EC checks TID SP . Ec to make sure it is valid (194, 260). If not valid rejected 396. 
(2) EC separates DS S p.p r i V ate-Key (3) EC hashes the data portion of the message 
obtains MD a S p-ec- (4) EC separates the data portion of the message: 
TIDsp.Ec, PLAIN TEXTsp.ec, CRYPTO S p. E c, DS SP -Private-Key 



REJECT 



TID SP . EC is invalid 
- 396 



| ' 394 

TO STEP 398 FIG. 60 



SUBSTITUTE SHEET (RULE 26) 
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FIG. 60 

\—^FROM394 FIG. 6N 



(1) EC uses SP's session key for EC that received and decrypted in step 
266 FIG. 61: D sltey . EC (CRYPTOsp. E c )=D S key-M [E S key-Ec(Response Data SP . EC )] 
(2) EC use D S p.p ub | ic .Key to verify DS S p.pri Vtte .Key (Refer to FIG. 5) 
Dsp.Pubiic-Key(DSsp.priv«te-Key)=MD S p. EC , \ s MD S p.Ec equal to MD A S p.EC? 









* 398 


^402 


NO 




r_ y 400 


REJECT 


Is MD A SP . EC equal to MD ?P p<-? 


f 406 




YES 




EC's acknowledgement data to SP 
Acknowledgement Data FC 




r 404 






r 


EC'S ENCIPHIR: USE SP'S SESSION KEY FOR EC: 
Skey EC (Acknowledgement Data EC )=CRYPTO EC 



Transaction Identification Number assigned 
by SP (see 186) to EC (see 252) :TID SP . EC 



410 



EC'S PLAIN TEXT TO 
SP: PLAIN TEXT EC 



412 



EC COMBINES: TID SP . EC * PLAIN TEXT EC * CRYPTO EC 



408 



EC HASHES AND PRODUCES A MESSAGE DIGEST: 
H[TID SP . EC # PLAIN TEXT EC *CRYPTO EC ]=MD EC 



READ EC'S 
Private Key 



414 



USE EC'S DIGITAL SIGNATURE GENERATOR: 

EEC-Private-Key(MDEc) = PS EC .p f i vate . Key 



418 



416 



EC COMBINES: 

[TIDsp. E c* PLAIN TEXT EC *Skey EC (Acknowledgement Data EC )]*DS E(> p r , vale . Key 



TO STEP 422 FIG. 6P 



-Step 9 in FIG. 2 
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ELECTRONIC CARD 
COMPUTER UNIT 
(ORIGINATOR) 



FIG. 6P 



NETWORK' 



FROM STEP 420 FIG. 60 



FROM STEP 388 FIG. 6N 



MERCHANT COMBINES : 

(rniw^AiNTi^ 

*[TID S p.m*PLAIN TEXT M *Skey M (Acknowledgement Data,*)] 



I 



422 



MERCHANT HASHES AND PRODUCES A MESSAGE DIGEST- 
IF {[TID SP . EC * PLAIN TEXT EC *Skey EC (Acknowledgement Data EC )] 
♦DS EC . PrivaIe . Key }*[TID S p. M *PLAIN TEXT M 
*Skey M (AcknowledgementData M )]»=MD M 



READ MERCHANT'S 
Private Key 



424 



428 



USE MERCHANT'S DIGITAL 
SIGNATURE GENERATOR: 

E M-Priv a te-Kev (MD M )=DS M .p riva , e Ker 



cr 



426 



MERCHANT COMBINES: 

«{[TID SP . EC *PLAIN TEXT EC *Skey EC (Acknowledgement Data EC )] 

*DS EC -Priv.te-Key} *[TID SP . M * PLAIN TEXT M 

*Skey M (AcknowledgementData M )3»»DS M .Priv«e-Key 

={[(TID S p. E c*PLAINTEXT E c*CRYPTO EC )*DS E c-p r ,v«e.Key] 
'(TID SP , M »PLAIN TEXTm * CR YPTO M ) } *DS M .p rivate _ Key 



FIRST PARTY 
COMPUTER UNIT 
(MERCHANT) 



430 



-Step 10 in FIG. 2 



SECOND PARTY 
COMPUTER UNIT 
(SERVICE PROVIDER) 
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FIG. 6Q 
FROM STEP 430 FIG. 6P 



A 



432 



(1) SP checks TID SP . M «nd TID S p. EC to make sure it is valid (see 218 and 194 ), 
if one of them is not valid then rejected 434. (2) SP separates DSM.prtvatc-Kcy 
(3) SP hashes the data portion of the message obtains MD a m- 
(4) SP separates the data portion of the message: TTDsp-m. PLAIN TEXT M , 
CRYPTOm, DS M -p,ivMc.Key. (TID S p. E c* PLAIN TEXT EC *CRYPTO E c)*DS E c.p ri v., e .Key 


yr < — — Either TIDsp.M 


T436 


££jg£Y or TID SP . EC is invalid 


C — 434 i 


SP uses PK M (see 150 and 170) to verify the decrypt DSM^jy^Key (Refer to FIG. 5). 
DM-Public-Key(I>SM-Private-Kcy)=MD M , Is MD^MD^m? 



440 



REJECT 



NO 




JL 



442 



SP uses Skey M (see 210) to decrypt CRYPTO M and obtains Acknowledgment Data M 



X 



444 



(1) SP separates DS EC .p,iv«ie-Key» ( 2 ) hashes the data portion of EC's acknowledgement 

message: H(TID S p. EC *PLAIN TEXT EC 'CRYPTO EC )=MD* EC 
(3) SP separates and obtains: TIP S p. EO PLAIN TEXT EC , CRYPTO EC> PS E c.Pt,v,tcK«y 



x 



446 



SP uses PK EC (see 126 and 176) to decrypt T>S ec . Myi to. Kv y (Refer to FIG. 5). 

PEC-Public.K e y( PS EC.Priv a t e .Kcy) = MD E C. ^ MD EC =MP A EC ? 



X 



450 



NO 



448 







r YES y 452 


SP uses Skey EC (see 186) to decrypt CRYPTO EC and obtains Acknowledgment Data EC 


END OF TRANSACTION PHASE ^ 


r 454 




TRANSACTION COMPLETED 



jsnnmn-. <wo 9957B35A1 ia> 



SUBSTITUTE SHEET (RULE 26) 



WO 99/57835 



PCT7US99/09938 



23/29 





SUBSTITUTE SHEET (RULE 26) 



WO 99/57835 



PCT/US99/09938. 



24/29 



8 




I 

Oni 

GO 

CO 

Q 




U2 



CO 
CO 




SUBSTITUTE SHEET (RULE 26) 



Jfinoan: <WO P957835A1 ia> 



WO 99/57835 



PCT/US99/09938 




^SDOCID: <WO. 9957835A1 IA> 



SUBSTITUTE SHEET (RULE 26) 



1 




JSDOCID: <WO 9957835A1 IA> 



WO 99/57835 PCT/US99/09938 



28/29 




SUBSTITUTE SHEET (RULE 26) 



WO 99/57835 



PCT/US99/09938 



29/29 



FIG. 13 




1220 



1230 



JSDOCID: <WO 9957835A1 IA> 



SUBSTITUTE SHEET (RULE 26) 



INTERNATIONAL SEARCH REPORT 



International application No. 
PCT/US99/09938 



A. CLASSIFICATION OK SUBJECT MATTER 
ll'CMu H U4 K 1/00: H OJ I. 9/00 

\ :s f| )X0/3Q. 49 t . . 11>f . 

A.o.ulnic lu International I'u.cn, Class, toon (IPC) or to both nat.onul class.hcatu.n and 11 C 



U. IIKLDS SEARCH KD 



Minimum documentation searched (classification system followed by classification symbols) 
II S 380/30. 49 



Documentation searched other than minimum documentation to 



Ihe extent that such documents are included in the fields searched 



Electronic data base consulted during the intern 



otional search (name of data base and. where practicable, search terms used) 



( . DOC VMENTS C ONSIDERED TO BE RELEVANT 



Category 1 



x 



Y. A 



Citation ol document, with indication, where appropriate, of Ihe relevant passages 



US 5,544,246 A (MANDELBAUM et al) 06 August 1996, Figures 
2-7, col. 2, lines 9-33. 

SCHNE1ER, BRUCE. Applied Cryptography second edition. 1996, 
pgs. 43, and 51-54. 

US 5,671 ,279 A (ELGAMAL) 23 September 1997, figures 1-4, col. 
3. lines 38-42. 



Relevant to claim No. 



l-n 



12-41 



12-41 



□ Further documents are listed in the continuation of Box C. Q Sec patent family annex 



Special caleguriei of cited documents. 
-A- document definm* die aenefal iww of die art which •* not considered 

u> be of particular relevance 

-i;- <M rh«f document published un or after Ute international film? date 

-I " doeuineiii which may throw doubts on priority damns) or winch is 

cited to establish the publication date of enoUtet citation or oUter 

special I CM SOU Im> specified i 

cm •cicnmjt di>eb*.u«. u>c. cxhibilion oi ollici 

IllCilll!" 

, | t „ VMt p„hl.sl.ol p.. « iiiUiiwiioiwI ld"i(t dale but l«te» than 

I In- pimiilv dale dunned — — 



later document published after die international filing date or priority 
dme and r.oi in conflict with the application but cited to understand 
ihe principle or theory underlying die invention 

document of paiticular relevance; die claimed invention cannot be 
considered novel or cannot be considered to involve an inventive step 
when the document is taken alone 

documeui of pellicular relevance: the claimed invention cannot be 
cousideicd to involve an inventive step when die document » 
combined with one or more other such documents, such eombtnauon 
beuitt obvious 10 a person skilled in ihe art 

document membei of die same patent family 



Date ol the actual completion of the international search 



Ml JULY 1999 



Name and mailing address of the ISA/US 
Commissioner of Patents and Trademarks 
Box PCT 

Washington. D.C. 20231 
l-aesimile No. (703) 305-3230 



Date of moiling ol* the international search report 

0 9 SEP 1999 



Authorized o Nicer , 

DOUGLAS MEISLAI1N /?fr)V** & flifrgtA&Uk 
Telephone No. (703) 305-Y338 



|-mm I'C'T-ISA^ 10 (second sheelKJuly 1992)* 

JSDOCID: <WO 9957835A1 IA> 



********* 



